Sun System Handbook - ISO 3.4 June 2011 Internal/Partner Edition | |||
|
|
Solution Type Problem Resolution Sure Solution 1010907.1 : Sun Fire[TM] V60x/V65x: BMC Port Conflict
PreviouslyPublishedAs 215049 Symptoms Ports used by LAN management conflict with those needed by the Baseboard Management Center (BMC), causing timeouts and considerable waits in completing commands. Other utilities such as Remote Shell (rsh) and NIS services may also produce "time out" errors under heavy load, if using the reserved BMC ports. The ports in question are 623 and 664, although the "Sun Fire V60x Server and Sun Fire V65x Server Server Management Guide" also erroneously lists port 624 (crypto admin). The ports are described as follows: 623 (26Fh) Aux Bus Shunt (Primary RMCP Port): Hereon referred to as the Primary RMCP Port. This port and the required RMCP messages must be provided to be conformant with the RMCP specifications. There is a mandatory set of messages that are required to be supported on this port. These messages are always sent in the clear so that system software can discover systems that have RMCP support. 664 (298h) Secure Aux Bus (Secondary RMCP Port): Hereon referred to as the Secondary RMCP Port or Secure Port. This port is only used when it is necessary to encrypt packets using an algorithm or specification that prevents also sending unencrypted packets from being transferred via the same port. Since discovery requires sending in the clear RMCP Ping/Pong packets, the secondary port is used to transfer encrypted transfers while the primary port continues to support unencrypted packets. An implementation that utilizes this port must still support the Primary RMCP Port and the required messages on that port in order to be conformant with the RMCP specifications. Note that the common IPMI messaging protocols and authentication mechanisms in this specification do not use encrypted packets, therefore IPMI messaging does not need to use the secondary port. BMC is part of the Intelligent Platform Management Interface (IPMI) and uses the Remote Monitoring and Control Protocol (RMCP). Resolution To avoid this problem, the following solutions can be implemented: 1. configure your services to block the use of UDP ports 623 and 664, or 2. use an alternate network interface for that traffic. The GNU FreeIPMI Documentation site states the following in
chapter 13 of their guide 13.1 Fencing IPMI IP ports Append the following to /etc/services: # BMC IPMI/RMCP services rmcp 623/udp # Aux Bus Shunt (Primary RMCP Port) rmcps 664/udp # Secure Aux Bus (Secondary RMCP Port) BMC internally (at hardware level) uses the above mentioned ports for sending RMCP/IPMI packets . To avoid any confli[c]t [sic] with the BMC, [the] Operating System should make sure no other applications or services uses [sic] these ports for communication. One easy way to do this is to start a simple daemon at the [sic] boot time that opens these ports but never uses them. Secure connections to BMC port 664 is not enabled on most BMC implementations by default. The following sample code and provides a simple daemon to implement the suggestion above. /* ***************************************************************** * Copyright (c) 2005 Sun Microsystems, Inc. All Rights Reserved. * * SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY * OF THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT * LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS * FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE * LIABLE FOR ANY DAMAGES SUFFERED BY LICENSEE AS A RESULT OF USING, * MODIFYING OR DISTRIBUTING THIS SOFTWARE OR ITS DERIVATIVES. * ***************************************************************** */ /*=================================================================*/ /* Name: pb_623.c (Port blocker for port 623) */ /* Description: Simple UDP server code that listens on port 623 */ /*----------------------------------------------------------------*/ /* Changes: */ /*================================================================*/ /* INCLUDES-------------------------------------------------------*/ #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #include <stdio.h> #include <unistd.h> /* close() */ #include <string.h> /* memset() */ #include <fcntl.h> #include <syslog.h> /* Global Definitions --------------------------------------------*/ #define LOCAL_SERVER_PORT 623 #define MAX_MSG 100 /*----------------------------------------------------------------*/ /* Function writelog: Writes errors and messages to logs. */ /*----------------------------------------------------------------*/ void writelog(char errmsg[]) { syslog(LOG_INFO, errmsg); } /*----------------------------------------------------------------*/ /* Function daemonize: Forks the process and turns it into a */ /* daemon. */ /*----------------------------------------------------------------*/ int daemonize(void) { pid_t pid; int fd; /* if we are started from init no need to become daemon */ if (getppid() == 1) { writelog("Portblocker: Instance already running"); return; } pid = (pid_t) fork(); if (pid < 0 || pid > 0) { writelog("Portblocker: Unable to fork"); exit(0); } if (setpgrp() == -1) { writelog("Portblocker: Unable to set process group"); exit(1); } pid = (pid_t) fork(); if (pid < 0 || pid > 0) { writelog("Portblocker: Unable to fork"); exit(0); } chdir("/"); umask(0); for (fd=0; fd<64; fd++) close(fd); open("/dev/null", O_RDWR); dup(0); dup(0); return(pid); } /*----------------------------------------------------------------*/ /* Main: Opens UDP listener on port 623 and then loops. Uses */ /* daemonize to fork as a daemon if not started at boot time. */ /*----------------------------------------------------------------*/ int main(int argc, char *argv[]) { int sd, rc, n, cliLen; int pid; struct sockaddr_in cliAddr, servAddr; char msg[MAX_MSG]; pid = daemonize(); /* socket creation */ if ( (sd=socket(AF_INET, SOCK_DGRAM, 0)) <0 ) { writelog("Portblocker: cannot open socket"); exit(1); } /* bind local server port */ servAddr.sin_family = AF_INET; servAddr.sin_addr.s_addr = htonl(INADDR_ANY); servAddr.sin_port = htons(LOCAL_SERVER_PORT); if ( (rc = bind (sd, (struct sockaddr *) &servAddr,sizeof(servAddr))) <0 ) { writelog("Portblocker: cannot bind to port"); exit(1); } writelog("Portblocker: Started successfully"); /* loop - keep the port alive */ while(1) { /* init buffer */ memset(msg,0x0,MAX_MSG); /* receive message */ cliLen = sizeof(cliAddr); if ( (n = recvfrom(sd, msg, MAX_MSG, 0, (struct sockaddr *) &cliAddr, &cliLen)) <0 ) { writelog("Portblocker: cannot receive data"); continue; } }/* end while loop */ return 0; } /* end main */ Relief/Workaround Product Sun Fire V60x Compute Grid Rack System Sun Fire V60x Server Sun Fire V65x Server Internal Comments For internal Sun use only. francisco.delatorre@sun.com BMC, Port 623, 623, conflict, V65, rpc, nis, 624, IPMI Previously Published As 79519 Change History Date: 2006-05-22 User Name: 97961 Action: Update Canceled Comment: *** Restored Published Content *** - Audience changed to "Contract" per FvF http://kmo.central/howto/FvF.html Version: 0 Date: 2006-05-22 User Name: 97961 Action: Update Started Comment: - Audience changed to "Contract" per FvF http://kmo.central/howto/FvF.html Version: 0 Date: 2005-06-03 User Name: 25440 Action: Approved Comment: Publishing. Version: 6 Date: 2005-06-03 User Name: 25440 Action: Accept Comment: Version: 0 Product_uuid 6a386040-356d-11d7-989c-cd4a3a4ab304|Sun Fire V60x Compute Grid Rack System 03728cec-0ee3-11d7-9be8-dd41f651e0a3|Sun Fire V60x Server 079e9bbc-0ee3-11d7-8c50-f1061905b56f|Sun Fire V65x Server Attachments This solution has no attachment |
||||||||||||
|