Unable to set lan access via ipmitool

[rahulmah]

Unable to set lan access via ipmitool. Tested with master - 2.8.0-dev-89-g911f50f61. In journal, I don't see any entry for the failure. I believe it was working with older builds and started failing recently.

Via Inband IPMI

[root@<hostname> ~]# ipmitool lan set 1 access off
IPMI command failed: Unspecified error
Unable to Set Channel Access(non-volatile) for channel 1

[root@<hostname> ~]# ipmitool lan set 1 access on
IPMI command failed: Unspecified error
Unable to Set Channel Access(non-volatile) for channel 1

Via Out of band IPMI

bash-4.1$ ipmitool -I lanplus -C 3 -U root -P 0penBmc -H <BMC_IP> lan set 1 access off
IPMI command failed: Unspecified error
Unable to Set Channel Access(non-volatile) for channel 1

BMC Fw info:

root@witherspoon-YL30UF74T02X:~# cat /etc/os-release
ID="openbmc-phosphor"
NAME="Phosphor OpenBMC (Phosphor OpenBMC Project Reference Distro)"
VERSION="2.8.0-dev"
VERSION_ID="2.8.0-dev-89-g911f50f61"
PRETTY_NAME="Phosphor OpenBMC (Phosphor OpenBMC Project Reference Distro) 2.8.0-dev"
BUILD_ID="2.8.0-dev"
OPENBMC_TARGET_MACHINE="witherspoon"

[gkeishin]

@tomjoseph83 was looking into it earlier.

[rthomaiy]

can you get detailed dump of ipmitool -I lanplus .... lan set 1 access off -vvvvv or directly use set channel access command 0x6 0x40 followed by 2 bytes of data.

[gkeishin]

root@xx.xx.xx.xx:~# ipmitool lan set 1 access off -vvvvv
Using ipmi device 0
Set IPMB address to 0x20
OpenIPMI Request Message Header:
  netfn     = 0x6
  cmd       = 0x1
Sending request 0x1 to System Interface
Got message:  type      = 1
  channel   = 0xf
  msgid     = 0
  netfn     = 0x7
  cmd       = 0x1
  data_len  = 16
  data      = 0000800207028d41a7004f4205000500
Iana: 42817
Running Get PICMG Properties my_addr 0x20, transit 0, target 0
OpenIPMI Request Message Header:
  netfn     = 0x2c
  cmd       = 0x0
OpenIPMI Request Message Data (1 bytes)
 00
Sending request 0x0 to System Interface
Got message:  type      = 1
  channel   = 0xf
  msgid     = 1
  netfn     = 0x2d
  cmd       = 0x0
  data_len  = 2
  data      = c100
Error response 0xc1 from Get PICMG Properities
Running Get VSO Capabilities my_addr 0x20, transit 0, target 0
OpenIPMI Request Message Header:
  netfn     = 0x2c
  cmd       = 0x0
OpenIPMI Request Message Data (1 bytes)
 03
Sending request 0x0 to System Interface
Got message:  type      = 1
  channel   = 0xf
  msgid     = 2
  netfn     = 0x2d
  cmd       = 0x0
  data_len  = 2
  data      = c103
Invalid completion code received: Invalid command
Acquire IPMB address
Discovered IPMB address 0x0
Interface address: my_addr 0x20 transit 0:0 target 0x20:0 ipmb_target 0

OpenIPMI Request Message Header:
  netfn     = 0x6
  cmd       = 0x42
OpenIPMI Request Message Data (1 bytes)
 01
Sending request 0x42 to System Interface
Got message:  type      = 1
  channel   = 0xf
  msgid     = 3
  netfn     = 0x7
  cmd       = 0x42
  data_len  = 10
  data      = 0001040180f21b000000
Channel type: 802.3 LAN
OpenIPMI Request Message Header:
  netfn     = 0x6
  cmd       = 0x41
OpenIPMI Request Message Data (2 bytes)
 01 40
Sending request 0x41 to System Interface
Got message:  type      = 1
  channel   = 0xf
  msgid     = 4
  netfn     = 0x7
  cmd       = 0x41
  data_len  = 3
  data      = 000004
OpenIPMI Request Message Header:
  netfn     = 0x6
  cmd       = 0x40
OpenIPMI Request Message Data (3 bytes)
 01 40 44
Sending request 0x40 to System Interface
Got message:  type      = 1
  channel   = 0xf
  msgid     = 5
  netfn     = 0x7
  cmd       = 0x40
  data_len  = 1
  data      = ff
IPMI command failed: Unspecified error
Unable to Set Channel Access(non-volatile) for channel 1
root@xx.xx.xx.xx:~#

[rthomaiy]

@tomjoseph83 can you confirm there is override command handler to Set & Get channel access in your code? Reason: For Get Channel access 0x6, 0x41, 0x1 0x40 and the response was 0x00 0x00 0x04 indicating the channel is already disabled and set for the same failed for setting the same info (which doesn't seems right). as per the code in the user_channel, it will return 0xFF only when read / write to the file failed, but it doesn't look like that, as read was passed.

[tomjoseph83]

@rthomaiy We have not overrided the Get & Set Channel access command downstream. The command implementations are the same as master.

[rthomaiy]

ok, tried with latest code, and unable to reproduce this issue root@xx: ipmitool lan set 1 access off Set Channel Access for channel 1 was successful. root@xx: ipmitool lan set 1 access on Set Channel Access for channel 1 was successful.

Can you dump the following before and after the execution of the commands

1. cat /var/lib/ipmi/channel_access_nv.json
2. cat /run/ipmi/channel_access_volatile.json

Need dump of the above 2 files, before & after executing the commands.

[rahulmah]

@rthomaiy : I don't see any change in the commands after executing ipmitool command.

Before executing ipmitool command

root@witherspoon-YL30UF74T02X:~# cat /var/lib/ipmi/channel_access_nv.json
{
  "1" : {
    "access_mode" : "always_available",
    "user_auth_disabled" : false,
    "per_msg_auth_disabled" : false,
    "alerting_disabled" : false,
    "priv_limit" : "priv-admin"
  },
  "2" : {
    "access_mode" : "always_available",
    "user_auth_disabled" : false,
    "per_msg_auth_disabled" : false,
    "alerting_disabled" : false,
    "priv_limit" : "priv-admin"
  }
}
root@witherspoon-YL30UF74T02X:~# cat /run/ipmi/channel_access_volatile.json
{
  "1" : {
    "access_mode" : "always_available",
    "user_auth_disabled" : false,
    "per_msg_auth_disabled" : false,
    "alerting_disabled" : false,
    "priv_limit" : "priv-admin"
  },
  "2" : {
    "access_mode" : "always_available",
    "user_auth_disabled" : false,
    "per_msg_auth_disabled" : false,
    "alerting_disabled" : false,
    "priv_limit" : "priv-admin"
  }
}

Execute ipmitool command - ipmitool lan set 1 access off

[root@ws011p1 ~]# ipmitool lan set 1 access off
IPMI command failed: Unspecified error
Unable to Set Channel Access(non-volatile) for channel 1

After executing ipmitool command

root@witherspoon-YL30UF74T02X:~# cat /var/lib/ipmi/channel_access_nv.json
{
  "1" : {
    "access_mode" : "always_available",
    "user_auth_disabled" : false,
    "per_msg_auth_disabled" : false,
    "alerting_disabled" : false,
    "priv_limit" : "priv-admin"
  },
  "2" : {
    "access_mode" : "always_available",
    "user_auth_disabled" : false,
    "per_msg_auth_disabled" : false,
    "alerting_disabled" : false,
    "priv_limit" : "priv-admin"
  }
}
root@witherspoon-YL30UF74T02X:~# cat /run/ipmi/channel_access_volatile.json
{
  "1" : {
    "access_mode" : "always_available",
    "user_auth_disabled" : false,
    "per_msg_auth_disabled" : false,
    "alerting_disabled" : false,
    "priv_limit" : "priv-admin"
  },
  "2" : {
    "access_mode" : "always_available",
    "user_auth_disabled" : false,
    "per_msg_auth_disabled" : false,
    "alerting_disabled" : false,
    "priv_limit" : "priv-admin"
  }
}```

[rthomaiy]

@tomjoseph83 by any chance whether this is read-only file system (in that case, yes we return 0xFF)

[rthomaiy]

For some reason, the file is not getting updated. It requires further level of debug to the command handler. Requested the same with @tomjoseph83

[tomjoseph83]

@rthomaiy I added some traces and figured out that setChannelAccessPersistData is returning 0xFF as the completion code. It is surprising that there were no journal traces to substantiate the failure. log<level::DEBUG>("Set channel access - Failed to set access data");This will need some more discussion and we can have it on the IRC when you are available.

[tomjoseph83]

The command is failing when updating the privilege limit on the network interface.

https://github.com/openbmc/phosphor-host-ipmid/blob/master/user_channel/channel_mgmt.cpp#L610

The traces are not coming because the journal API format is invalid.

This is the patch holding this feature to be available.

https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-networkd/+/13114/