Finish upgrading remote server without physically being there?
max at mxcrypt.com
Thu Mar 3 00:47:06 UTC 2011
On Wed, Mar 2, 2011 at 7:10 PM, Nerius Landys <nlandys at gmail.com> wrote:
>> I just got a new Supermicro Atom board a few days ago (X7SPA-HF-D525).
>> It has a Nuvoton BMC chip that is attached to LAN1 and provides IPMI
>> and KVM-over-IP functionality. The chip gets its own IP address
>> (separate from em0 in FreeBSD) and is powered whenever the power cord
>> is plugged-in.
>> As a result, you have some really useful functionality such as power
>> control (turn the server on/off remotely), access to sensors (MB & CPU
>> temperatures, voltages, chassis intrusion), text console, and KVM
>> KVM console is accessed using a Java application that has to be
>> installed on the client. It's pretty much identical to having a
>> physical monitor and keyboard attached, in that you can control the
>> system from the moment that it turns on, including going into BIOS.
>> The only glitch I found so far is that the connection freezes for a
>> few seconds while FreeBSD initializes em0 during boot. After that
>> everything is fine.
> That's really neat. How do you configure the LAN on that chip? For
> example, how do you specify the IP address, gateway, netmask, etc? Is
> this done in the BIOS? So you would normally have at least 2 IPs for
> the server - one for em0 and one for the special chip? Is this a
> separate ethernet jack? Also, what about being more vulnerable - I
> mean, it's an added way of compromising your system, right? Getting
> in through the KVM-over-IP?
The initial IP configuration is done through the BIOS. After that, you
can using the IPMI View application to change the network settings
The physical Ethernet jack is the same as em0, so yes, it has two
separate IPs assigned to it, though the OS is only aware of one. There
are some other implementations (e.g. Dell's iDRAC 6 enterprise) where
the management interface is physically separate.
On this Supermicro board, the interface supports VLAN tagging, so you
can use that to achieve some separation. Otherwise, you're right about
vulnerability. You have username/password authentication and the
session is encrypted using aes-cbc-128 cipher. Even with this, I
wouldn't feel comfortable exposing this port to the outside world. As
it happens, this system will be my new firewall, so em0 will be my lan
and em1 is wan.
More information about the freebsd-questions