"IPMI proxy via auxiliary server" module
|Hierarchy:||DCImanager -> Modules|
|DCImanager Enterprise -> Modules|
This article describes the operation principles and installation algorithm of the “IPMI proxy via auxiliary server" module.
“IPMI proxy via auxiliary server” module gives convenient access to IPMI web interfaces for IPMI-modules with internal IP. Access is provided through connecting of VNC to the selected server with CentOS 7. An environment with limited version of the browser and IPMI web interface page will be created on the server.
The module is tested on the following IPMI types:
SuperMicro (FW: 01.11); HP iLO 4 ProLiant (FW: 2.50); HP iLO 3 ProLiant (FW: 1.88); HP LO 100 (FW: 4.23); Huawei iBMC (FW: U25 2.30); Intel BMC (FW: 01.21.6038); Dell IDRAC 8 Power Edge R430 (FW: 18.104.22.168, Date:14.05.2017); SuperMicro (FW: 03.45, Date: 09/19/2016).
More information about IPMI can be found in "IPMI".
- 1 Preparing a proxy-server
- 2 Installation and configuration of “IPMI proxy via auxiliary server” module
- 3 Managing the module
- 4 Module at work
Preparing a proxy-server
To use this module, you need a server running CentOS 7. This server should have an access to the internal network, where IPMI is located. We recommend that you install the proxy software on a separate (virtual or dedicated) server. The server can have both public and private IP address, but it should be accessible from the server with DCImanager.
You can set up proxy on the server with DCImanager, however this is not recommended. While using proxy a third-party software is used, and the risk of gaining unauthorized access to the target server increases. Please note that proxy increases sever load, slowing down DCImanager.
Installation and configuration of “IPMI proxy via auxiliary server” module
To install a module, navigate to "Integration" → "Modules" → "IPMI proxy via auxiliary server" → "Install" button.
After the installation is done the "Install" button is replaced with the "Settings" button.
You should enter the following parameters:
- Proxy server URL — URL to access the IPMI proxy server via SSH;
- Proxy server port — the SSH port to access IPMI proxy server;
- Admin name — Admin username to connect to the IPMI proxy server;
- Proxy server authorization type — IPMI proxy server authorization type;
- Admin password / Open SSH-key — connection data depending on the selected connection method:
- By password — use a password for authorization;
- By SSH-key — use an SSH-key for authorization.
- Encrypt connection from noVNC to websockify — this option enables encryption of transmitted data (SSL) when connecting noVNC to websockify. We recommend that you enable this option, if you work with the control panel using SSL;
- Mount ISO-images — this option enables mounting of all available ISO images on the proxy server into the user directory. This option allows you to mount ISO images on the target server via the IPMI web interface or the Java console. The administrator can use all images. The owner of the server can access public images, and the images that he or his administrator uploaded;
- DCImanager server IP-address — the address of the server where the control panel is installed;
- Allow administrator to choose connect method — select the check box to allow the administrator to select a connection method to the IPMI interface;
- I agree with Java/Oracle terms of service (c) — accept Java/Oracle(c) terms of service.
Managing the module
In the following articles you will find more information on how to work with the PMI if proxy via auxiliary server is set up:
- Using noVNC to access Hewlett-Packard Lights Out 100 (iLo100) IPMI WEB-interface;
- Using noVNC to access Intel BMC IPMI WEB-interface;
- Using noVNC to access SuperMicro 2012 IPMI WEB-interface;
- Using noVNC to access SuperMicro 2016 IPMI WEB-interface.
Module at work
The VNC server and the software, which is required for displaying the IPMI web interface and the remote console will be installed on the server.
The websockify server which redirects traffic to the VNC server and back, will start on the server with DCImanager.
noVNC, which refers to websockify locally and gets the picture with the IPMI web-interface in the browser through the VNC-server will start on the server with DCImanager.
To simplify the password entry and exchange some textual information with the IPMI web interface, you could use buttons to transfer the clipboard and the text field in the noVNC interface. The Ctrl button is enabled for use inside the Java console.
Starting from version 155 you can move windows and switch between windows inside the VNC. To maximize a window, press Shift + TAB.
On the server with DCImanager you need to allow incoming traffic for range of ports specified in the configuration file (for noVNC).
On the remote proxy server:
- Configure a user template (named dci_vnc_template and dci_vnc_users group) to start the VNC server;
- The system installs the software (outdated chromium with java-plugin support, java, tigervnc-server, chromium current version);
- Creates an exception file for java;
- Installs the java-plugin for the browser. It is necessary to open a Java applet for some IPMI, for example for HP iLo 4);
- Configures the correct opening of jnlp-files through javaws;
- Opens incoming traffic to the port range for VNC in the firewall;
- Sets the public key from <control_panel_directory> /etc/.ssh/master_id.pub in ~/.ssh/authorized_keys of the selected administrator;
- If all the steps completed successfully, the empty file /var/lock/ipmiproxyv2_installed will be created. If this file exists, when configuring the module next time, the installation won’t start on that server.
Connection to the IPMI
On the server running DCImanager:
- The system will check that noVNC port does not match one of the ports banned by browsers: 6000, 6665–6669, 6697;
- Next, it will check the firewall rules and correct them if necessary. If the ports for noVNC were changed in the settings configuration form, the incoming traffic will be allowed to the range of ports from the configuration file;
- Availability of the IPMI web-interface URL will be checked every 10 seconds. If it is unavailable, the corresponding error message will be displayed;
- If the "Mount ISO images" option is enabled:
- The system will generate a list of ISO images available for the user who called the function;
- Each image from the list will be mounted as an NFS-directory (if it wasn’t mounted earlier). The NFS directory is available only for the proxy server.
On the remote proxy server:
- A temporary user will be created from the user template. The IPMI link will be specified in its start script;
- Links to IPMI will be added to the list of exceptions for Java (the original one and the link with https);
- The firewall rules will be checked and corrected if necessary. If the ports for noVNC were changed in the settings configuration form, the incoming traffic will be allowed to the range of ports from the configuration file;
- If the "Mount ISO images" option is enabled, every available image will be mounted into the ISO subdirectory inside the temporary user home directory;
- The IPMI type will be checked:
- If the "Support old IPMI types" option is enabled, the browser will support the java plug-in (required for HP iLo 100/160 devices);
- Otherwise, the current version of the browser will start. It is compatible with the most IPMI.
- VNC server will start from the user side, where the browser with limited capabilities will start. The IPMI web-interface will open in the browser;
- On the server with DCImanager the websockify proxy will start. It will wait for connection on the first free port from the range and redirects them to the VNC server;
- noVNC connected to websockify will open in a new tab.
Closing a tab (or opening a new one with the same IPMI)
- websockify will be stopped;
- temporary user processes will be stopped;
- if the "Mount ISO images" option is enabled:
- the directories with ISO images will be unmounted;
- If the directory usage count is reduced to zero, the NFS directory on the server with DCImanager will be unmounted;
- If it is necessary, user's lock files will be deleted;
- The temporary user and his home directory will be deleted.
Changing proxy server address
- attempt to connect to the old proxy server via SSH;
- attempt to restore the firewall rules to their original state on the old server;
- attempt to delete the public key <control_panel_directory> /etc/.ssh/master_id.pub from~/.ssh/authorized_keys of the old server;
- Enable proxy on the new server.
How the module works in locations
If the module is used in locations, the system tries to connect to IPMI servers in the locations through the main server with DCImanager and the specified proxy server.
We can not identify you and respond to your message.