By default, Gigabyte BMC and CMC controllers have the admin service
account configured. In order to discover this type of hardware, the
root service account needs to be configured.
(ncn#) Retrieve the root user password for this BMC.
If configuring a BMC already present in the system, then retrieve the device-specific root user password from Vault.
BMC=x3000c0s3b0
EXPECTED_ROOT_PASSWORD=$(cray scsd bmc creds list --targets "${BMC}" --format json | jq .Targets[].Password -r)
The following output indicates that Vault does not contain a device-specific root user password for the specified BMC. In that case, use the system default air-cooled BMC root password described in the step below.
jq: error (at <stdin>:3): Cannot iterate over null (null)
If configuring a new BMC being added to the system, then retrieve the system’s default air-cooled BMC root user password from Vault.
VAULT_PASSWD=$(kubectl -n vault get secrets cray-vault-unseal-keys -o json |
jq -r '.data["vault-root"]' | base64 -d)
EXPECTED_ROOT_PASSWORD=$(kubectl -n vault exec -it cray-vault-0 -c vault -- env \
VAULT_TOKEN="${VAULT_PASSWD}" VAULT_ADDR=http://127.0.0.1:8200 VAULT_FORMAT=json \
vault kv get secret/reds-creds/defaults | jq .data.Cray.password -r)
(ncn#) If desired, verify the contents of EXPECTED_ROOT_PASSWORD.
echo $EXPECTED_ROOT_PASSWORD
(ncn#) Set an environment variable containing the hostname or current IP address of the BMC. If coming from the
Add Worker, Storage, or Master NCNs
procedure, then the IP address should already be stored in the BMC_IP environment variable.
Via hostname:
BMC=x3000c0s3b0
Via IP address:
BMC=10.254.1.9
(ncn#) Set and export the admin password of the BMC.
Contact HPE Cray service in order to obtain the default password.
NOTE:
read -sis used to prevent the password from echoing to the screen or being saved in the shell history.
read -r -s -p "${BMC} admin password: " IPMI_PASSWORD
export IPMI_PASSWORD
(ncn-mw#) Try to access the BMC with the default user credentials.
curl -k -u admin:"${IPMI_PASSWORD}" "https://${BMC}/redfish/v1/Managers" -i | head -1
If a 200 OK status code is returned, then the default user account is configured correctly.
HTTP/1.1 200 OK
If a 401 Unauthorized status code is returned, then the default user is not configured correctly. The BMC needs to be factory reset to restore the default user credentials.
HTTP/1.1 401 Unauthorized
(ncn#) Configure the root service account for the controller.
ipmitool -U admin -E -I lanplus -H "${BMC}" user set name 4 root
ipmitool -U admin -E -I lanplus -H "${BMC}" user set password 4 "${EXPECTED_ROOT_PASSWORD}"
ipmitool -U admin -E -I lanplus -H "${BMC}" user priv 4 4 1
ipmitool -U admin -E -I lanplus -H "${BMC}" user enable 4
ipmitool -U admin -E -I lanplus -H "${BMC channel setaccess 1 4 callin=on ipmi=on link=on
Example output:
Set User Password command successful (user 4)
Set Privilege Level command successful (user 4)
Set User Access (channel 1 id 4) successful.
(ncn#) If the target controller is a BMC and not a CMC, then configure Serial Over LAN (SOL).
ipmitool -U admin -E -I lanplus -H "${BMC}" sol payload enable 1 4
(ncn#) Verify that the root service account is now configured.
List the current accounts on the BMC.
curl -s -k -u admin:"${IPMI_PASSWORD}" "https://${BMC}/redfish/v1/AccountService/Accounts" | jq ".Members"
Expected output:
[
{
"@odata.id": "/redfish/v1/AccountService/Accounts/4"
},
{
"@odata.id": "/redfish/v1/AccountService/Accounts/1"
}
]
View the root user account account on the BMC.
curl -s -k -u admin:"${IPMI_PASSWORD}" "https://${BMC}/redfish/v1/AccountService/Accounts/4" | jq '. | { Name: .Name, UserName: .UserName, RoleId: .RoleId }'
Expected output:
{
"Name": "root",
"UserName": "root",
"RoleId": "Administrator"
}
(ncn#) Confirm that the new credentials can be used with Redfish.
curl -k -u "root:${EXPECTED_ROOT_PASSWORD}" "https://${BMC}/redfish/v1/Managers" -i | head -1
Expected output:
HTTP/1.1 200 OK
Now the root service account is configured.