MAAS

Modify the BMC "maas" account privilege group

Bug #2028532 reported by Zhanglei Mao on 2023-07-24

This bug report was marked for expiration 239 days ago. (find out why)

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	MAAS	Incomplete	Undecided	Unassigned

Bug Description

When using MAAS3.3.4, the server is automatically commissioned after it boots into PXE and a BMC account named "maas" will be created with wrong privilege group. It should be modified to "Administrator" group manually and then the status of the server will be normal.

Revision history for this message

Bill Wear (billwear) wrote on 2023-07-24:

how do you know that a BMC account named "maas" is created, and that it has the wrong privilege group? how could i reproduce this? please see https://maas.io/docs/how-to-review-and-report-bugs for the kinds of details we typically need to address a bug.

Changed in maas:
status:	New → Incomplete

Revision history for this message

Zhanglei Mao (zhanglei-mao) wrote on 2023-07-25:

It was happened on a NF5280-M7 server from "Inspur Electronic Information Industry Co., Ltd."

It was checked by BMC GUI and found there is a new maas account which created by MAAS, it use a new group role to grant administrator right which is different than old servers

Revision history for this message

Zhanglei Mao (zhanglei-mao) wrote on 2023-07-25:

The cloud-init-out.log seems no error:

Installing apt packages for 30-maas-01-bmc-config (id: 1432, script_version_id: 32)
Starting 30-maas-01-bmc-config (id: 1432, script_version_id: 32)
BMC credentials reconfigured by 30-maas-01-bmc-config
Finished 30-maas-01-bmc-config (id: 1432, script_version_id: 32): 0

...
All scripts successfully ran
Cloud-init v. 23.1.1-0ubuntu0~22.04.1 finished at Mon, 24 Jul 2023 09:51:12 +0000. Datasource DataSourceMAAS [http://172.24.124.1:5248/MAAS/metadata/]. Up 162.89 seconds

Revision history for this message

Zhanglei Mao (zhanglei-mao) wrote on 2023-07-25:

In syslog there is:
Jul 24 09:50:20 ace-worm cloud-init[4373]: Starting 30-maas-01-bmc-config (id: 1432, script_version_id: 32)
Jul 24 09:50:21 ace-worm kernel: [ 111.334434] x86/PAT: ipmi-locate:5857 map pfn expected mapping type uncached-minus for [mem 0x72365000-0x72366fff], got write-back
(about line repated 4 times)

Revision history for this message

Anton Troyanov (troyanov) wrote on 2023-08-04:

Hello Zhanglei,

Can you please share 30-maas-01-bmc-config script output?

Changed in maas:
status:	Incomplete → New
status:	New → Incomplete

Revision history for this message

Zhanglei Mao (zhanglei-mao) wrote on 2023-08-04:

After debuging 30-maas-01-bmc-config, we found it actually call below (bmc-config):
# new SUT server which don't has existed maas account
bmc-config --commit --key-pair=Lan_Conf_Security_Keys:K_G=admin
bmc-config --commit --key-pair=User3:Username=maas
bmc-config --commit --key-pair=User3:Password=IuY2As2YbGj
bmc-config --commit --key-pair=User3:Enable_User=Yes
bmc-config --commit --key-pair=User3:Lan_Privilege_Limit=Administrator
bmc-config --commit --key-pair=User3:Lan_Enable_IPMI_Msgs=Yes
bmc-config --commit --key-pair=User3:Serial_Enable_Link_Auth=Yes

#the bmc-config actual call ipmi-config --catagory=core ...

This issue can be re-produced manually like below:
# reproduce it manually under ubuntu 20.04
# delete maas account from bmc webui if there
sudo apt update
sudo apt install freeipmi-tools
sudo modprobe ipmi_msghandler
sudo modprobe ipmi_devintf
sudo modprobe ipmi_si
sudo modprobe ipmi_ssif
bmc-config --commit --key-pair=Lan_Conf_Security_Keys:K_G=admin
bmc-config --commit --key-pair=User3:Username=maas
bmc-config --commit --key-pair=User3:Password=IuY2As2YbGj
bmc-config --commit --key-pair=User3:Enable_User=Yes
bmc-config --commit --key-pair=User3:Lan_Privilege_Limit=Administrator
bmc-config --commit --key-pair=User3:Lan_Enable_IPMI_Msgs=Yes
bmc-config --commit --key-pair=User3:Serial_Enable_Link_Auth=Yes

#check maas accoutn in webui: userid="3" username="maas" usergroup="no group" useraccess="enalbed" ipmiprivilege="none"

The expected correct should ipmiprivilege="Administrator"

Revision history for this message

Zhanglei Mao (zhanglei-mao) wrote on 2023-08-04 (last edit on 2023-08-08):

Engineer from "Inspur Electronic Information Industry Co., Ltd." reported that adjust bmc-config command order like below can create a MAAS account in the server with correct ipmiprivilege.
...
bmc-config --commit --key-pair=User3:Serial_Enable_Link_Auth=Yes
bmc-config --commit --key-pair=User3:Lan_Privilege_Limit=Administrator

But this account still can't access BMC (controller power) due to absent of usergroup.

To change usergroup it can be BMC webgui or ipmitool, need to use raw like below:
Ipmitool raw 0x3c 0xa4 0x02 0x01 0x08 0x74 0x65 0x73 0x74 0x38 0x0a 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Parameter as below:：
Netfun：0x3c
cmd：0xa4
operationtion type：0x02
group id：0x01
user id：0x08 （from 0）
user name：0x74 0x65 0x73 0x74 0x38 0x0a 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 （0x74 0x65 0x73 0x74 0x38 username in ASCII，0x0a is return，user name lengh is 16，pad with 0x00 if not）

Revision history for this message

Zhanglei Mao (zhanglei-mao) wrote on 2023-08-08:

root cause and workaround at present:

a. This new platfrom's BMC has enhanced account security with group. This group account can only configure via ipmitools raw with ascii code.

b. Workaround can be: 1. manually change usergroup via BMC admin webui. 2. during maas commissioning, select "Skip configuring supported BMC controllers with a MAAS generated username and password".

Revision history for this message

Björn Tillenius (bjornt) wrote on 2023-08-08:

Did the engineer state why the order needs to be different?

Changed in maas:
status:	Incomplete → New
status:	New → Incomplete

Revision history for this message

Zhanglei Mao (zhanglei-mao) wrote on 2023-08-08:

#10

The engineer said, during step of "bmc-config --commit --key-pair=User3:Serial_Enable_Link_Auth=Yes", the user privilege would auto reset to none.

Revision history for this message

Christian Grabowski (cgrabowski) wrote on 2023-09-06:

#11

And the `ipmitool raw` command can be executed after those config values are set, or is its order specific as well?

Changed in maas:
status:	Incomplete → New
status:	New → Incomplete

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.