dell / iDRAC-Redfish-Scripting

Python and PowerShell scripting for Dell EMC PowerEdge iDRAC REST API with DMTF Redfish
GNU General Public License v2.0
608 stars 279 forks source link

iDRAC per FQDN via Redfish #303

Closed downtownle closed 3 months ago

downtownle commented 6 months ago

Hello Texas,

if you have and ideas to use redfish for it without racadm let us know. 16G System with idrac9 latest firmware level installed.

We are currently trying to address the iDRACs via FQDN because we don't want them via IP addresses. Unfortunately we get this nice error:

The iDRAC is reset to factory default and got its IP address via DHCP. There is also an entry in your community about this: https://www.dell.com/community/en/conversations/systems-management-general/idrac9-6000-and-redfish/647f9dc9f4ccf8a8de23c724

It is a security feature that the header is checked and this check fails because DNS Domain is not configured. How do we get ahead here without addressing the iDRACs via IP address? screenshot

texroemer commented 6 months ago

Hi @downtownle

Your iDRAC FQDN string are you able to use it to access the iDRAC GUI and only Redfish curl command is failing or unable to access the iDRAC using any interface?

Also based off the article link did you try to disable hot header check in iDRAC and curl command still fails?

Thanks Tex

downtownle commented 6 months ago

Hello Texas,

I had thought there was a curl redfish command you could recommend to turn it off or on before resetting the idrac to get around it? Kind of, turn off host header check Reset idrac9 Switch it back on later if possible host header check. I can currently only find racadm commands to deactivate it and set DNS entry.

texroemer commented 6 months ago

GET and PATCH example for iDRAC attribute WebServer.1.HostHeaderCheck.

[root@localhost]# curl -k -X GET -u root:calvin 'https://idrac-BZ01345/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DellAttributes/iDRAC.Embedded.1?$select=Attributes/WebServer.1.HostHeaderCheck' --insecure | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   274  100   274    0     0    200      0  0:00:01  0:00:01 --:--:--   200
{
  "@odata.context": "/redfish/v1/$metadata#DellAttributes.DellAttributes",
  "@odata.id": "/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DellAttributes/iDRAC.Embedded.1",
  "@odata.type": "#DellAttributes.v1_0_0.DellAttributes",
  "Attributes": {
    "WebServer.1.HostHeaderCheck": "Enabled"
  }
}

[root@localhost]# curl -k -X PATCH -u root:calvin 'https://idrac-BZ01345/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DellAttributes/iDRAC.Embedded.1' --insecure -d '{"Attributes":{"WebServer.1.HostHeaderCheck":"Disabled"}}' -i -H "Content-Type: application/json"
HTTP/1.1 200 OK
Date: Tue, 14 May 2024 02:47:44 GMT
Server: Apache
OData-Version: 4.0
Cache-Control: no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Length: 506
Vary: Accept-Encoding
Content-Type: application/json;odata.metadata=minimal;charset=utf-8

{"@Message.ExtendedInfo":[{"Message":"The request completed successfully.","MessageArgs":[],"MessageArgs@odata.count":0,"MessageId":"Base.1.12.Success","RelatedProperties":[],"RelatedProperties@odata.count":0,"Resolution":"None","Severity":"OK"},{"Message":"The operation successfully completed.","MessageArgs":[],"MessageArgs@odata.count":0,"MessageId":"IDRAC.2.9.SYS413","RelatedProperties":[],"RelatedProperties@odata.count":0,"Resolution":"No response action is required.","Severity":"Informational"}]}

[root@localhost]# curl -k -X GET -u root:calvin 'https://idrac-BZ01345/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DellAttributes/iDRAC.Embedded.1?$select=Attributes/WebServer.1.HostHeaderCheck' --insecure | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   275  100   275    0     0    222      0  0:00:01  0:00:01 --:--:--   222
{
  "@odata.context": "/redfish/v1/$metadata#DellAttributes.DellAttributes",
  "@odata.id": "/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DellAttributes/iDRAC.Embedded.1",
  "@odata.type": "#DellAttributes.v1_0_0.DellAttributes",
  "Attributes": {
    "WebServer.1.HostHeaderCheck": "Disabled"
  }
}

Thanks Tex

downtownle commented 6 months ago

That doesn't really help me. Because I can't get to the iDRAC via FQDN. What needs to be set via DHCPv6 for it to work?

[a758240@m4bxvmvs02cd ~]$ curl -k -X GET -u root:calvin 'https://bn461com5i6x.inf.ref.bm4x.telekom.de/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DellAttributes/iDRAC.Embedded.1?$select=Attributes/WebServer.1.HostHeaderCheck [bn461com5i6x.inf.ref.bm4x.telekom.de]' --insecure | jq % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 638 100 638 0 0 3987 0 --:--:-- --:--:-- --:--:-- 3987 { "error": { "code": "Base.1.8.GeneralError", "message": "A general error has occurred. See ExtendedInfo for more information.", "@Message.ExtendedInfo": [ { "@odata.type": "#Message.v1_1_0.Message", "MessageId": "Base.1.8.QueryNotSupported", "Description": "Indicates that query is not supported on the implementation.", "Message": "Querying is not supported by the implementation.", "Severity": "Warning", "Resolution": "Remove the query parameters and resubmit the request if the operation failed." } ] } } [a758240@m4bxvmvs02cd ~]$

I also get an error via the browser: screenshot

texroemer commented 6 months ago

Can you confirm you can access GUI and run Redfish calls using iDRAC IPv4 address? Also can you ping your iDRAC DNS name and confirm ping request passes, returns the IPv4 address.

Thanks Tex

downtownle commented 6 months ago

In the test we are currently using IPv4, later in production it will be IPv6 only. A ping works:

[a758240@m4bxvmvs02cd ~]$ ping bn461com5i6x.inf.ref.bm4x.telekom.de PING bn461com5i6x.inf.ref.bm4x.telekom.de (10.1.3.9) 56(84) bytes of data. 64 bytes from 10.1.3.9 (10.1.3.9): icmp_seq=1 ttl=57 time=12.8 ms

When you call WebGUI this is what happens: screenshot2

texroemer commented 6 months ago

Using IPv4 address can you run Redfish GET and PATCH calls for attribute WebServer.1.HostHeaderCheck, confirm this works. If yes can you disable this attribute and then try accessing iDRAC again using iDRAC DNS name.

Thanks Tex

downtownle commented 6 months ago

Hello Texas,

my question is, do these two values have to be the same? So that it works again via DNS name calling. 'DNSRacName' and 'DNSDomainName'. If so, can you set these two values via Redfish via IPv4 and IPV6? If yes can you add two examples for it for ipv4 and ipv6 to set this via ip

downtownle commented 6 months ago

yes, if we use the IPv4 address, then it works. But we want to go beyond the name, otherwise it makes no sense for us to give the iDRAC a name.

All automation is based on names, so IPv4 and IPv6 can act independently.

texroemer commented 6 months ago

Can you please try using IPv4 address to run PATCH to disable host header check, then try any GET command using DNS name and confirm it passes.

Example:

[root@localhost]# curl -k -X PATCH -u root:calvin 'https://192.168.0.120/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DellAttributes/iDRAC.Embedded.1' --insecure -d '{"Attributes":{"WebServer.1.HostHeaderCheck":"Disabled"}}' -i -H "Content-Type: application/json"
HTTP/1.1 200 OK
Date: Tue, 14 May 2024 02:47:44 GMT
Server: Apache
OData-Version: 4.0
Cache-Control: no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Length: 506
Vary: Accept-Encoding
Content-Type: application/json;odata.metadata=minimal;charset=utf-8

{"@Message.ExtendedInfo":[{"Message":"The request completed successfully.","MessageArgs":[],"MessageArgs@odata.count":0,"MessageId":"Base.1.12.Success","RelatedProperties":[],"RelatedProperties@odata.count":0,"Resolution":"None","Severity":"OK"},{"Message":"The operation successfully completed.","MessageArgs":[],"MessageArgs@odata.count":0,"MessageId":"IDRAC.2.9.SYS413","RelatedProperties":[],"RelatedProperties@odata.count":0,"Resolution":"No response action is required.","Severity":"Informational"}]}

[root@localhost]# curl -k -X GET -u root:calvin 'https://idrac-BZ01345/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DellAttributes/iDRAC.Embedded.1?$select=Attributes/WebServer.1.HostHeaderCheck' --insecure | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   275  100   275    0     0    222      0  0:00:01  0:00:01 --:--:--   222
{
  "@odata.context": "/redfish/v1/$metadata#DellAttributes.DellAttributes",
  "@odata.id": "/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DellAttributes/iDRAC.Embedded.1",
  "@odata.type": "#DellAttributes.v1_0_0.DellAttributes",
  "Attributes": {
    "WebServer.1.HostHeaderCheck": "Disabled"
  }
}

Thanks Tex

downtownle commented 5 months ago

Hello Texas,

which fields need to be filled for the host header check to work? We are currently using DHCP IPV4 and IPV6 DHCP ONLY! We would like to know the fields that need to be filled (is it the RACNAME or IDRAC9 FQDN name or other suffix fields? We would like to know this in order to set it and test it. Therefore we need an overview of the fields that need to be filled for the host header check to work.

texroemer commented 5 months ago

Hi @downtownle

Please see article below which goes into detail about host header check iDRAC behavior.

https://www.dell.com/support/kbdoc/en-us/000193619/http-https-fqdn-connection-failures-on-idrac9-firmware-version-5-10-00-00

Thanks Tex

downtownle commented 5 months ago

Hello Texas,

who can help me with the question which the customer would like to have answered?

Topic: HTTPS-Hostheader Can the fields "DNSRacName" and "DNSDomainName" also be filled by DHCP v6? If so, which DHCP options must be set for this?

downtownle commented 3 months ago

try to solve it over idm module