|
|
Post by AMI_shirleyh on Nov 12, 2019 5:18:36 GMT
In Manager.v1_6_0 Schema, ServiceEnabled property is common for all the protocols as given below in the Schema. So Either all the protocols should be Enabled/Disabled.
If IPMI is enabled and SSH is also enabled but SOLSSH Service is not running then we have a need to display it as Disabled and there is a provision in our BMC WebUI.
However Redfish does not give that flexibility only for SSH under SerialConsole Protocol.
So Either we can have SOLSSH as a separate protocol under ManagerNetworkProtocol or we can have a subproperty under SSH as SOL with a reference to Protocol property as others(Telnet,SSH,IPMI,etc).
"SerialConsole": {
"properties": {
"ConnectTypesSupported": {
"description": "This property enumerates the serial console connection types that the implementation allows.",
"items": {
"$ref": "#/definitions/SerialConnectTypesSupported"
},
"longDescription": "This property shall contain an array of the enumerations. SSH shall be included if the Secure Shell (SSH) protocol is supported. Telnet
shall be included if the Telnet protocol is supported. IPMI shall be included if the IPMI Serial Over LAN (SOL) protocol is supported.",
"readonly": true,
"type": "array"
},
"ServiceEnabled": {
"description": "An indication of whether the service is enabled for this manager.",
"longDescription": "This property shall indicate whether the protocol for the service is enabled.",
"readonly": false,
"type": "boolean"
}
},
"type": "object"
}
Please let me know your comments on the same.
Also a common question here is, If any one of the protocols in ConnectTypesSupported in CommandShell or SerialConsole or GraphicalConsole is disabled, still the ServiceEnabled property will be true incase user disables any one of the protocols through any other interface other than Redfish. In this scenario user can infer that if ServiceEnabled property is true anyone of the protocols is enabled but it need not be all. Why cannot we have ServiceEnabled property individually like in ManagerNetworkProtocol with ProtocolEnabled property.
|
|
|
|
Post by josephreynolds1 on Nov 12, 2019 21:17:37 GMT
|
|
|
|
Post by jautor on Nov 14, 2019 5:46:31 GMT
In Manager.v1_6_0 Schema, ServiceEnabled property is common for all the protocols as given below in the Schema. So Either all the protocols should be Enabled/Disabled. If IPMI is enabled and SSH is also enabled but SOLSSH Service is not running then we have a need to display it as Disabled and there is a provision in our BMC WebUI. However Redfish does not give that flexibility only for SSH under SerialConsole Protocol. So Either we can have SOLSSH as a separate protocol under ManagerNetworkProtocol or we can have a subproperty under SSH as SOL with a reference to Protocol property as others(Telnet,SSH,IPMI,etc). Need some clarification on this question... Is this "SOLSSH" service an SSH-based serial console, or is it an IPMI-over-LAN "Serial-over-LAN" implementation? I can see the limitation if IPMI-SOL support can be enabled/disabled separately from the IPMI-over-LAN protocol. We can fix that by adding another property for "SerialOverLanEnabled" within the IPMI protocol object. But need to verify that that addresses the issue. Jeff |
|
|
|
Post by jautor on Nov 14, 2019 5:50:26 GMT
Also a common question here is, If any one of the protocols in ConnectTypesSupported in CommandShell or SerialConsole or GraphicalConsole is disabled, still the ServiceEnabled property will be true incase user disables any one of the protocols through any other interface other than Redfish. In this scenario user can infer that if ServiceEnabled property is true anyone of the protocols is enabled but it need not be all. Why cannot we have ServiceEnabled property individually like in ManagerNetworkProtocol with ProtocolEnabled property. The ConnectTypesSupported was intended to show capabilities of the Manager, but we do have some limitations here in fully describing the Serial Console support. We have an open issue to resolve to clearly describe the serial console uses, so we'll add this to the list of issues that need to be resolved with the enhanced support for these features in the Redfish schema. Jeff |
|
|
|
Post by josephreynolds1 on Nov 14, 2019 23:27:11 GMT
I cannot speak for the original poster, but I had taken SOLSSH to mean access to the Host Serial console via a SSH connection the BMC. Apologies if it is not. Here is the situation for the OpenBMC implementation: Details excepted from: github.com/openbmc/docs/blob/master/security/network-security-considerations.md#tcp-port-2200 Access to the BMC's host serial console is provided via the SSH protocol on port 2200. This uses the same server implementation as port 22, including the same TLS mechanisms. How the host secures its console (for example, username and password prompts) is outside the scope of this document. Where the link to the [host serial console] documentation is: github.com/openbmc/docs/blob/master/console.mdSo the idea is a network client can access the host system's serial console via an SSH session to the BMC (on port 2200). I think the Redfish ManagerNetworkProtocol should be enhanced to be able to enable and disable this interface. |
|
|
|
Post by AMI_shirleyh on Nov 18, 2019 13:25:36 GMT
In Manager.v1_6_0 Schema, ServiceEnabled property is common for all the protocols as given below in the Schema. So Either all the protocols should be Enabled/Disabled. If IPMI is enabled and SSH is also enabled but SOLSSH Service is not running then we have a need to display it as Disabled and there is a provision in our BMC WebUI. However Redfish does not give that flexibility only for SSH under SerialConsole Protocol. So Either we can have SOLSSH as a separate protocol under ManagerNetworkProtocol or we can have a subproperty under SSH as SOL with a reference to Protocol property as others(Telnet,SSH,IPMI,etc). Need some clarification on this question... Is this "SOLSSH" service an SSH-based serial console, or is it an IPMI-over-LAN "Serial-over-LAN" implementation? I can see the limitation if IPMI-SOL support can be enabled/disabled separately from the IPMI-over-LAN protocol. We can fix that by adding another property for "SerialOverLanEnabled" within the IPMI protocol object. But need to verify that that addresses the issue. Jeff As Joseph has correctly pointed out, SOLSSH is the Serial Console over SSH connection and not IPMI-SOL. IPMI inside SerialConsole points out to IPMI-SOL and we will need that also in addition to SOL in SSH. So the order of Enabling goes like this:- If IPMI is Enabled, IPMI-SOL is enabled, SSH is Enabled then only SOL-SSH can be enabled. But if all the 3 IPMI,IPMI-SOL & SSH is Enabled, SOL-SSH can be disabled. Other combinations are:- If IPMI is Enabled SOL can be enabled or Disabled. If SSH is enabled SOL can be enabled or disabled only if IPMI-SOL is enabled. If SSH is Disabled, SOLSSH will be disabled. If IPMI is Disabled no other combinations can be enabled. In short, IPMI, IPMI-SOL, SSH, SOLSSH - All 4 can be Disabled and Enabled based on the conditions mentioned above. IPMI & SSH are independent. Whereas IPMI-SOl is dependent on IPMI and SOLSSH is dependent on both IPMI-SOL & SSH for it to be enabled. Hope this explains your queries. Do get back to me if any further clarifications needed. Thanks. |
|
|
|
Post by josephreynolds1 on Nov 22, 2019 15:28:41 GMT
Thanks for the explanation. I think OpenBMC is slightly different.
OpenBMC has a connects to its host serial UART. The BMC provides external access to the host serial via either "ipmitool sol activate" or via "ssh -p 2200 user@$bmc". The host serial can also be accessed via the BMC's internal shell.
Specifically, the difference I am seeing between our BMC implementations is: On OpenBMC, enabling or disabling network IPMI does not affect access to SOL via "ssh -p 2200 user@$bmc".
I would like Redfish support for the BMC admin to be able to independently enable and disable:
- network IPMI
- SSH-based SOL (via "ssh -p 2200 user@$bmc")
- I don't know if the ability to disable only the "ipmi sol activate" function is needed.
I believe there is also a use case to disable off host serial at its source (for example, stop the BMC service which is listening to the host UART). I foresee security conscious administrators wanting to limit access to that powerful interface.
|
|
|
|
Post by josephreynolds1 on Jan 20, 2020 23:01:15 GMT
|
|
|
|
Post by AMI_shirleyh on May 27, 2021 8:16:47 GMT
Hi,
Any plans to add SOLSSH in the upcoming Schemas or to Differentiate SOL from SSH ?
|
|
|
|
Post by mraineri on May 27, 2021 12:34:30 GMT
SOL and SSH are already differentiated in the schemas. My understanding of SOLSSH is that it's just SSH to the manager to expose the host console. All of this should be covered today in the ComputerSystem resource. ComputerSystem contains a "SerialConsole" property, and that property contains connectivity info for how to access the host serial console via SSH, Telnet, or IPMI-SOL. All three of these can be supported simultaneously, so a client pick the protocol they'd prefer to access the console.
|
|
