IPMI Matthew Garrett <matthew.garrett@nebula.com> - - PowerPoint PPT Presentation

ipmi
SMART_READER_LITE
LIVE PREVIEW

IPMI Matthew Garrett <matthew.garrett@nebula.com> - - PowerPoint PPT Presentation

Jun 13, 2023 288 likes •596 views

IPMI Matthew Garrett <matthew.garrett@nebula.com> Intelligent Platform Management Interface Solves the biggest problem in server admin (How do you turn it off and turn it on again without having to leave your desk?) IPMI Remote

slide-1
SLIDE 1

IPMI

Matthew Garrett <matthew.garrett@nebula.com>

slide-2
SLIDE 2

Intelligent Platform Management Interface

slide-3
SLIDE 3

Solves the biggest problem in server admin

slide-4
SLIDE 4

(How do you turn it off and turn it on again without having to leave your desk?)

slide-5
SLIDE 5

IPMI

  • Remote power control
  • Watchdog
  • Boot order
  • Serial over LAN
  • Sensor monitoring
  • Alarms
slide-6
SLIDE 6

Vendor differentiation

  • Remote console
  • Firmware configuration
  • Virtual CD device
slide-7
SLIDE 7

IPMI

  • Linux is near ubiquitous
  • Your network contains embedded Linux
slide-8
SLIDE 8

Your network contains embedded Linux

slide-9
SLIDE 9

Your network contains embedded Linux

slide-10
SLIDE 10

Your network contains embedded Linux

slide-11
SLIDE 11

Your network contains embedded Linux

slide-12
SLIDE 12

Your network contains embedded Linux

slide-13
SLIDE 13

IPMI wants to be free

  • Having a separate BMC network is difficult and

expensive

  • So why not just steal packets from the host

NIC?

slide-14
SLIDE 14

Security isn't great

  • Old software
  • Insecure software
  • Bad software
slide-15
SLIDE 15

Security isn't great

slide-16
SLIDE 16

Security isn't great

  • Authentication, encryption, attestation
  • Pick any number
slide-17
SLIDE 17

Security isn't great

  • Authentication, encryption, attestation
  • Pick any number
  • (including 0)
slide-18
SLIDE 18

Security isn't great

  • Spec requires that the BMC hand over the

hashed password

slide-19
SLIDE 19

Security isn't great

  • Usernames may be hardcoded
slide-20
SLIDE 20

Best practices

  • Physically distinct network
  • Make sure they're all plugged in
  • Change default credentials
  • Change default usernames
  • Disable unused users
  • Disable cipher 0
slide-21
SLIDE 21

Ponies

slide-22
SLIDE 22

Server deployment is tedious

  • Takes a long time to access firmware
  • Opportunity to make mistakes
  • Inconsistent configs = inconsistent performance
slide-23
SLIDE 23

More vendor differentiation

  • Vendor tools for config
  • Vendor APIs for config
  • Lock-in with vendor tooling
  • Annoying for heterogeneous networks
slide-24
SLIDE 24

Wouldn't abstraction be nice?

  • Spoiler:
slide-25
SLIDE 25

Wouldn't abstraction be nice?

  • Spoiler:

– (yes)

slide-26
SLIDE 26

python-firmware-config

import firmware-config fw = firmware-config.create(“cisco”, “192.168.0.20”, “admin”, “admin”)

  • ptions = fw.get_options

if options['TPMSupport']['current'] != “enabled”:

  • ptions['TPMSupport']['new'] = “enabled

fw.set_fw_options(options)

slide-27
SLIDE 27

Mostly vendor-neutral

  • API identical between vendors
  • Option names differ
  • Semantics may vary
slide-28
SLIDE 28

Currently supported vendors

  • Cisco
  • Dell
slide-29
SLIDE 29

Currently supported vendors

  • Cisco
  • Dell
  • (Your name here)
slide-30
SLIDE 30

Free software

  • Apache 2.0 license
  • http://github.com/nebula/firmware_config