So, most companies are not using anything but cipher suite 17, and having a default of 3 is very insecure.
Below is the simple change I need to make to default to 17 so the Lenovo servers I am working on have IPMI enabled. I think this should be a setting in the IPMI settings so we can pick the cipher suite we want to use.
How can I pass the correct cipher or update the default to 17? I will assume this is in the database stored in base64. I’ll take a look at it later tomorrow.
parser.add_argument(
"--ipmi-cipher-suite-id",
choices=("3", "8", "12", "17"),
default="3",
help="The IPMI cipher suite ID to use when connecting via ipmitool",
)
Hey @andydelhierro
The default value comes from src/provisioningserver/drivers/power/ipmi.py
make_setting_field(
"cipher_suite_id",
"Cipher Suite ID",
field_type="choice",
choices=IPMI_CIPHER_SUITE_ID_CHOICES,
# freeipmi-tools defaults to 3, not all IPMI BMCs support 17.
default="3",
),
If you want to update some existing values and for some reason don’t want to use API for this, you should check for power_parameters
under public.maasserver_bmc
table in maas
database.
{"power_user": "", "power_driver": "LAN_2_0", "power_address": "127.0.0.1", "power_off_mode": "hard", "cipher_suite_id": "3", "power_boot_type": "auto", "privilege_level": "OPERATOR", "workaround_flags": ["opensesspriv"]}
The update statement can be something like this (but we do not encourage changing database values directly):
update maasserver_bmc
set power_parameters = jsonb_set(power_parameters, '{cipher_suite_id}', '"17"'::jsonb, false);
@troyanov I would be more than willing to use the API to update it if that change sticks. I want the change to be permitted.
Hm, I might be missing something. How do you set your power parameters?
You can use CLI to update configuration:
maas admin machine update bsex3q power_parameters_cipher_suite_id=17
At what point it is not preserved and sets to default value?
So I tried this code you provided, but it did not work.
update maasserver_bmc
set power_parameters = jsonb_set(power_parameters, ‘{cipher_suite_id}’, ‘“17”’::jsonb, false);
I need a way to set all discoveries to be at 17.
So this works for machine bsex3q. I need this to work for all discovered machines on the very first boot up. Doing this more than 100 times after they are discovered is a pain. We just want IPMI to work from the first discovery.
Ah, I see what you mean. In that case maybe changing parameters
will help
select parameters from public.maasserver_script where name = '30-maas-01-bmc-config';
I didn’t check myself, but in theory replacing {input}
to "17"
should work
"maas_auto_ipmi_cipher_suite_id": {"max": 2, "type": "string", "argument_format": "--ipmi-cipher-suite-id={input}"