Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

xCAT support for Secured OF (Openfirmware) prompt #6637

Open
hgunasin opened this issue Mar 14, 2020 · 33 comments · May be fixed by #6793
Open

xCAT support for Secured OF (Openfirmware) prompt #6637

hgunasin opened this issue Mar 14, 2020 · 33 comments · May be fixed by #6793

Comments

@hgunasin
Copy link

Hi

Background
I use xCAT to build and deploy VIO Servers and Novalink for a large customer using Power8 and Power9 systems which are HMC connected and Novalink managed once built.

I have come across an issue where we are unable to rinstall with netboot as when an LPAR is powered on, in firmware 940 on P9 systems it uses a "Secured OF" prompt rather than the firmware prompt which it had on firmware level 930 and below. This is preventing the use of the xCAT capabiities to netboot and install VIO Servers and RHEL operating systems on a LPAR using HMCs.

Is there any plans to support these?. If no what would be the alternative we could use?. I need Urgent help at least to understand where we are going with xCAT with support for "Secured OF" prompt.

Thanks in advance and appreciate any comments on this urgently.

@besawn
Copy link
Member

besawn commented Mar 16, 2020

Can you provide some information about the server model number and firmware version you are using?

@hgunasin
Copy link
Author

The Server is an IBM Power 9 E980 with Firmware FW940.02.

@hgunasin
Copy link
Author

HMC version is Version 9 Release 1 Maintenance 940 (V9 R1 M940)

@hgunasin
Copy link
Author

hgunasin commented Mar 18, 2020 via email

@gurevichmark
Copy link
Contributor

We don't currently support "Secured OF" boot from xCAT.

We can try to suggest a workaround if you can provide more information.
Please provide the lsdef output for the node in question.

Also please provide console output log file /var/log/consoles/<node>.log from the partition boot showing the boot sequence including the failure when the "Secured OF" prompt appears?

@hgunasin
Copy link
Author

hgunasin commented Mar 19, 2020 via email

@gurevichmark
Copy link
Contributor

@hgunasin Great, when you are done, would you be willing to share your solution here ?

@hgunasin
Copy link
Author

hgunasin commented Apr 1, 2020 via email

@hgunasin
Copy link
Author

hgunasin commented Apr 1, 2020 via email

@gurevichmark
Copy link
Contributor

@hgunasin It looks like your file did not get attached to the issue.

Can you either drop the file directly into this issue's comment box or email the file directly to the email associated with my github id ?

@hgunasin
Copy link
Author

hgunasin commented Apr 2, 2020

LparNetbootExp.txt

@hgunasin
Copy link
Author

hgunasin commented Apr 2, 2020 via email

@hgunasin
Copy link
Author

Hi Mark

Did you have a chance to review the attachement?.

I have a question with regard to getting "SecureOF" officially supported on Power Systems with xCAT. Do you know whom I need to reach out to take this support query forward?.

Appreciate your help in advance.

Thanks

Hemantha

@gurevichmark
Copy link
Contributor

@hgunasin
This is still on our todo list, we just have not had time to setup test environment to verify your changes.
Few questions for you, which might speed up that process:

  • When you say getting "SecureOF" officially supported on Power Systems with xCAT, is there more that needs to be done, other than merging in your changes in LparNetbootExp ?
  • You said you were unable to rinstall with netboot as when an LPAR is powered on, in firmware 940 on P9. Does this mean it worked on P8 LPARs ?
  • Once I install OP940 firmware that supports "SecureOF", how do I turn on that feature ?

@hgunasin
Copy link
Author

hgunasin commented Apr 22, 2020 via email

@wabe1968
Copy link

wabe1968 commented Jul 8, 2020

Hi There, i am experiencing the same problem with secure boot installing a cluster made of L922 servers. I just tried to test the Hemantha version of LparNetbootExp.pm with xCAT version 2.16 and rnetboot is failing with several perl error messages.
My knowledge of perl is very basic but i have the impression there might be and extra graph somewhere

syntax error at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2231, near "else"
Global symbol "$verbose" requires explicit package name (did you forget to declare "my $verbose"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2233.
Global symbol "@done" requires explicit package name (did you forget to declare "my @done"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2254.
Global symbol "$dump_target" requires explicit package name (did you forget to declare "my $dump_target"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2255.
Global symbol "@net_device" requires explicit package name (did you forget to declare "my @net_device"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2256.
Global symbol "$full_path_name" requires explicit package name (did you forget to declare "my $full_path_name"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2256.
Global symbol "$netmask" requires explicit package name (did you forget to declare "my $netmask"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2256.
Global symbol "$dump_port" requires explicit package name (did you forget to declare "my $dump_port"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2256.
Global symbol "$dump_lun" requires explicit package name (did you forget to declare "my $dump_lun"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2256.
Global symbol "$dump_target" requires explicit package name (did you forget to declare "my $dump_target"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2256.
Global symbol "@pattern" requires explicit package name (did you forget to declare "my @pattern"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2257.
Global symbol "$extra_args" requires explicit package name (did you forget to declare "my $extra_args"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2259.
Global symbol "@net_device" requires explicit package name (did you forget to declare "my @net_device"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2261.
Global symbol "$full_path_name" requires explicit package name (did you forget to declare "my $full_path_name"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2261.
Global symbol "$speed" requires explicit package name (did you forget to declare "my $speed"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2261.
Global symbol "$duplex" requires explicit package name (did you forget to declare "my $duplex"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2261.
Global symbol "$node" requires explicit package name (did you forget to declare "my $node"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2261.
Global symbol "$extra_args" requires explicit package name (did you forget to declare "my $extra_args"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2261.
Global symbol "@net_device" requires explicit package name (did you forget to declare "my @net_device"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2263.
Global symbol "$full_path_name" requires explicit package name (did you forget to declare "my $full_path_name"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2263.
Global symbol "$speed" requires explicit package name (did you forget to declare "my $speed"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2263.
Global symbol "$duplex" requires explicit package name (did you forget to declare "my $duplex"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2263.
Global symbol "$extra_args" requires explicit package name (did you forget to declare "my $extra_args"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2263.
Global symbol "@net_device" requires explicit package name (did you forget to declare "my @net_device"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2267.
Global symbol "$full_path_name" requires explicit package name (did you forget to declare "my $full_path_name"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2267.
Global symbol "$speed" requires explicit package name (did you forget to declare "my $speed"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2267.
Global symbol "$duplex" requires explicit package name (did you forget to declare "my $duplex"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2267.
Global symbol "$node" requires explicit package name (did you forget to declare "my $node"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2267.
Global symbol "@net_device" requires explicit package name (did you forget to declare "my @net_device"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2270.
Global symbol "$full_path_name" requires explicit package name (did you forget to declare "my $full_path_name"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2270.
Global symbol "$speed" requires explicit package name (did you forget to declare "my $speed"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2270.
Global symbol "$duplex" requires explicit package name (did you forget to declare "my $duplex"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2270.
Global symbol "@pattern" requires explicit package name (did you forget to declare "my @pattern"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2273.
Global symbol "@cmd" requires explicit package name (did you forget to declare "my @cmd"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2276.
Global symbol "@net_device" requires explicit package name (did you forget to declare "my @net_device"?) at /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm line 2276.
Execution of /opt/xcat/lib/perl/xCAT/LparNetbootExp.pm aborted due to compilation errors.
Compilation failed in require at /opt/xcat/lib/perl/xCAT/PPCboot.pm line 13.
BEGIN failed--compilation aborted at /opt/xcat/lib/perl/xCAT/PPCboot.pm line 13.
Compilation failed in require at (eval 95) line 1.

@gurevichmark
Copy link
Contributor

@hgunasin The LparNetbootExp.txt you posted on April 2 seems to have unmatched bracket.
perltidy flagged this:

1522:   Should 'eq' be '==' here ?
2231:   expecting 'else' to follow one of 'if|elsif|unless|case|when'

There is no previous '{' to match a '}' on line 2412
2412: }
      ^

@hgunasin
Copy link
Author

hgunasin commented Jul 9, 2020

Hi mark

Let me try upload another copy for your reference. Thanks.

@hgunasin
Copy link
Author

hgunasin commented Jul 9, 2020

LparNetbootExp.pm.txt
Please try this file. This need to be renamed to .pm (remove .txt)

Thanks.

@hgunasin
Copy link
Author

hgunasin commented Jul 9, 2020 via email

@gurevichmark
Copy link
Contributor

@wabe1968 Can you try the updated file ?

@wabe1968
Copy link

@gurevichmark @hgunasin
thank you for the latest version of the file. It is working without errors. I am doing some changes to grab the proper
ethernet adapter on the L922. I will post a new version when i have it working.

thanks,
Walter

Walter Bernocchi IBM - Lab Services Cognitive Consultant

@hgunasin
Copy link
Author

hgunasin commented Jul 21, 2020 via email

@gurevichmark
Copy link
Contributor

@hgunasin Yes, I can merge your changes, but was waiting for @wabe1968 to make changes to grab the proper
ethernet adapter on the L922
.

@wabe1968 Are you still planning to post those changes here ?

@wabe1968
Copy link

Hi Mark, sorry for my late reply but the system i was using for the testing has not been available for several days.
Please, find here after the modified version of LparNetbootExp.pm that supports also the 25G Mellanox adapters installed in the IBM L922 servers
LparNetbootExp.pm.txt

@gurevichmark gurevichmark linked a pull request Aug 3, 2020 that will close this issue
@gurevichmark gurevichmark linked a pull request Aug 3, 2020 that will close this issue
@gurevichmark
Copy link
Contributor

@wabe1968 @hgunasin
I am trying to review the code you contributed, but I must be missing something:

  • I can see the new option -a added to the Usage, but I do not see that option examined anywhere in the code.
  • I can see several places where secOF flag is being tested - if ($secOF == 1). But it looks like it gets defined as my $secOF=1; and then never gets set to anything else.

@hgunasin
Copy link
Author

hgunasin commented Aug 12, 2020 via email

@gurevichmark
Copy link
Contributor

@hgunasin Thank you for your contribution, it truly help us keep xCAT product up to date.

Unfortunately we can not merge the submitted code as is, because of this hardcoded -a option.
Is there any way you can make changes to handle it properly ?

@hgunasin
Copy link
Author

hgunasin commented Aug 18, 2020 via email

@gurevichmark
Copy link
Contributor

In function lparnetbootexp() around line 2929 there is a section of code that processes other options:

        -n      Do not boot partition
        -t      Specifies network type ent
        -D      Perform ping test, use adapter that successfully ping the server
        -s      Network adapter speed
        -d      Network adapter duplex
        -S      Server IP address
        -G      Gateway IP address
        -C      Client IP address
        -m      MAC Address
        -v      Verbose output
        -x      Debug output
        -f      Force close virtual terminal session
        -w      Set boot device order
                        0: Don't set boot device order
                        1: Set network as boot device
                        2: Set network as 1st boot device, disk as 2nd boot device
                        3: Set disk as 1st boot device, network as 2nd boot device
                        4: set disk as boot device
        -M      Discovery ethernet adapter mac address and location code

Did you try to process -a is a similar fashion ?
Something like:

if (exists($opt->{a})) {
        $secOF = 1;
    }

@gurevichmark
Copy link
Contributor

@hgunasin Are you still planning to make changes to your code to properly handle -a option ?

@hgunasin
Copy link
Author

hgunasin commented Sep 9, 2020 via email

@gurevichmark
Copy link
Contributor

@hgunasin Great. If you can, use this version of the file (https://github.com/xcat2/xcat-core/blob/3b4434c8c652757ccd9dabfdda1dfa106c4409f2/perl-xCAT/xCAT/LparNetbootExp.pm) from my PR #6793.
I ran it through perltidy, so it should have proper formatting and indentation, which will make it easier for me to diff your changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants