IPMI stonith resource authentication fails.

This document (7021395) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise High Availability Extension 11 Service Pack 4
SUSE Linux Enterprise High Availability Extension 12

Situation

When configuring an IPMI interface as a STONITH resource, the correct IPMI credentials do not authenticate.

The following error is reported in /var/log/messages on the affected node:
   ERROR: error executing ipmitool: Authentication type NONE not supported Error: Unable to establish LAN session

Resolution

Manually modify the cib to use "lanplus" rather than "lan" for the STONITH resource's "interface" parameter.

hostname:~ # crm configure edit
...
primitive <resource name> stonith:external/ipmi \
        params hostname=<hostname> ipaddr=<IP Addr> userid=root passwd=<IPMI root pass> interface=lanplus \
        meta target-role=Started is-managed=true \
        operations $id=<my-id> \
        op monitor interval=3600 start-delay=15 timeout=20
...

Cause

The "lan" interface option for ipmitool submits IPMI credentials over clear text.  Certain IPMI interfaces do not support these un-encrypted authentication attempts. 
The "lanplus" interface type uses the RMCP+ protocol introduced with IPMI v2.0 which integrates with the openssl library to encrypt the IPMI authentication attempt.

Additional Information

On HAE for SLES12, the lanplus IPMI interface option can be configured for an IPMI stonith resource through HAWK, allowing you to choose between reconfiguring the resource using the web interface or manually changing this setting with crm configure edit.

Information regarding this stonith resource including necessary parameters can be seen via command line.
# crm ra info stonith:external/ipmi

To test the IPMI device use ipmitool command ('zypper in ipmitool').

For example: 
# /usr/bin/ipmitool -I lanplus -U <USER_NAME> -P  <PASSWORD> -H  <IPMI_DEVICE_IP> chassis power status

Expected output should be something like: Chassis Power is on
When other output is observed, please check IPMI device : is IPMI enable? Need Licence? Wrong Password? User Disabled? 

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7021395
  • Creation Date: 13-Sep-2017
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center