Use this procedure to recover from the situation when new or replacement hardware has root
credentials that do not match the system’s current default root
user credentials.
This type of problem can occur in the following scenarios:
root
credentials using either the
Updating the Liquid-Cooled EX Cabinet CEC with Default Credentials after a CEC Password Change or
Update Default Air-Cooled BMC and Leaf-BMC Switch SNMP Credentials procedures.root
password or a different known root
password configured. For example, hardware that has moved from a different system with a customized default root
password.Specify the BMC hostname with the mismatched credentials:
BMC=x1000c0r1b0
Specify the current root
user password for the BMC:
Depending on the origin of the piece of hardware, this could be the factory default password or a different system’s default password.
read -s CURRENT_ROOT_PASSWORD
echo $CURRENT_ROOT_PASSWORD
Verify the credentials work with Redfish using curl
:
curl -k -u "root:$CURRENT_ROOT_PASSWORD" https://$BMC/redfish/v1/Managers -i
The following example output shows the CURRENT_ROOT_PASSWORD
environment variable contains a valid root password for the BMC.
HTTP/1.1 200 OK
...output truncated...
Conversely, the following output shows the CURRENT_ROOT_PASSWORD
environment variable contains an invalid root
user password for the BMC. Update the CURRENT_ROOT_PASSWORD
environment variable to contain a valid root
user password for the BMC.
HTTP/1.1 401 Unauthorized
...output truncated...
Update the credentials for the Redfish endpoint stored in Vault using Hardware State Manager (HSM):
cray hsm inventory redfishEndpoints update $BMC --id $BMC --user root --password $CURRENT_ROOT_PASSWORD
Wait a few minutes for HSM to attempt to inventory the BMC:
sleep 120
Verify the BMC’s discovery status is DiscoverOK
:
cray hsm inventory redfishEndpoints describe $BMC
If DiscoveryStarted
, then wait and recheck the discovery status again. If HTTPsGetFailed
, then examine the HSM logs to troubleshoot the issue.
Determine the system’s default BMC root
user password:
VAULT_PASSWD=$(kubectl -n vault get secrets cray-vault-unseal-keys -o json | jq -r '.data["vault-root"]' | base64 -d)
alias vault='kubectl -n vault exec -i cray-vault-0 -c vault -- env VAULT_TOKEN=$VAULT_PASSWD VAULT_ADDR=http://127.0.0.1:8200 VAULT_FORMAT=json vault'
Retrieve the default root
password.
For liquid-cooled hardware:
SYSTEM_ROOT_PASSWORD=$(vault kv get secret/meds-cred/global/ipmi | jq .data.Password -r)
For air-cooled hardware:
SYSTEM_ROOT_PASSWORD=$(vault kv get secret/reds-creds/defaults | jq .data.Cray.password -r)
Verify the systems’s default root
user password:
echo $SYSTEM_ROOT_PASSWORD
Create a payload for the System Configuration Service (SCSD):
jq --arg BMC "$BMC" --arg PASSWORD "$SYSTEM_ROOT_PASSWORD" -n \
'{Targets:[{Xname: $BMC, Creds: {Username: "root", Password: $PASSWORD}}]}' > scsd_payload.json
Inspect the payload:
jq . scsd_payload.json
Example payload contents:
{
"Targets": [
{
"Xname": "x1000c0r1b0",
"Creds": {
"Username": "root",
"Password": "foobar"
}
}
]
}
Apply the systems’s default BMC root
user credentials to the BMC:
cray scsd bmc discreetcreds create scsd_payload.json
Example of a successful credential change:
[[Targets]]
Xname = "x1000c0r1b0"
StatusCode = 204
StatusMsg = "No Content"
If the operation is not successful inspect the SCSD logs.
Remove SCSD payload file containing credentials from the file system:
rm scsd_payload.json