Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-72-1010907.1
Update Date:2016-11-04
Keywords:
Solution Type  Problem Resolution Sure

Solution  1010907.1 :   Sun Fire[TM] V60x/V65x: BMC Port Conflict  

Related Items 
    

  • Sun Fire V60x Server
    •  
  • Sun Fire V65x Server
    •  
  • Sun Fire V60x Compute Grid Rack System
    •  
Related Categories 
    

  • PLA-Support>Sun Systems>x86>Server>SN-x64: SERVER 32bit
    •  

PreviouslyPublishedAs
215049 


Applies to:  

Sun Fire V60x Server - Version Not Applicable and later
Sun Fire V65x Server - Version Not Applicable and later
Sun Fire V60x Compute Grid Rack System - Version Not Applicable and later
All Platforms

***Checked for relevance on 18-Feb-2014***



Symptoms


Ports used by LAN management conflict with those needed by the Baseboard Management Center (BMC), causing timeouts and considerable waits in completing commands.
Other utilities such as Remote Shell (rsh) and NIS services may also produce "time out" errors under heavy load, if using the reserved BMC ports.


The ports in question are 623 and 664, although the "Sun Fire V60x Server and Sun Fire V65x Server Server Management Guide" also erroneously lists port 624 (crypto admin).


The ports are described as follows:


623 (26Fh) Aux Bus Shunt (Primary RMCP Port):  Hereon referred to as the Primary RMCP Port. This port and the required RMCP messages must be provided to be conformant with the RMCP specifications. There is a mandatory set of messages that are required to be supported on this port. These messages are always sent in the clear so that system software can discover systems that have RMCP support.


664 (298h) Secure Aux Bus (Secondary RMCP Port):  Hereon referred to as the Secondary RMCP Port or Secure Port. This port is only used when it is necessary to encrypt packets using an algorithm or specification that prevents also sending unencrypted packets from being transferred via the same port. Since discovery requires sending in the clear RMCP Ping/Pong packets, the secondary port is used to transfer encrypted transfers while the primary port continues to support unencrypted packets. An implementation that utilizes this port must still support the Primary RMCP Port and the required messages on that port in order to be conformant with the RMCP specifications. Note that the common IPMI messaging protocols and authentication mechanisms in this specification do not use encrypted packets, therefore IPMI messaging does not need to use the secondary port.


BMC is part of the Intelligent Platform Management Interface (IPMI) and uses the Remote Monitoring and Control Protocol (RMCP)


 


Cause


Conflict between LAN traffic and BMC Management Control Ports 


Solution


To avoid this problem, the following solutions can be implemented:
1. Configure your services to block the use of UDP ports 623 and 664, or


2. Use an alternate network interface for that traffic.


The GNU FreeIPMI Documentation site states the following in chapter 13 of their guide:


13.1 Fencing IPMI IP ports



Append the following to /etc/services:



# BMC IPMI/RMCP services
rmcp    623/udp         # Aux Bus Shunt (Primary RMCP Port)
rmcps   664/udp         # Secure Aux Bus (Secondary RMCP Port)
BMC internally (at hardware level) uses the above   mentioned ports for sending RMCP/IPMI packets .  To avoid any confli[c]t [sic] with the BMC, [the] Operating System should make sure no other applications or services uses [sic] these ports for communication.  One easy way to do this is to start a simple daemon at the [sic] boot time that opens these ports but never uses them.



Secure connections to BMC port 664 is not enabled on most BMC implementations by default.



The following sample code and provides a simple daemon to implement the suggestion above:




/*
*****************************************************************



* Copyright (c) 2005 Sun Microsystems, Inc. All Rights Reserved.
*



* SUN MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY
* OF THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT
* LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS
* FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. SUN SHALL NOT BE
* LIABLE FOR ANY DAMAGES SUFFERED BY LICENSEE AS A RESULT OF USING,
* MODIFYING OR DISTRIBUTING THIS SOFTWARE OR ITS DERIVATIVES.
*
*****************************************************************
*/



/*================================================================*/
/* Name: pb_623.c (Port blocker for port 623)                     */
/* Description: Simple UDP server code that listens on port 623   */
/*----------------------------------------------------------------*/
/* Changes:                                                       */
/*================================================================*/
/* INCLUDES-------------------------------------------------------*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h> /* close() */
#include <string.h> /* memset() */
#include <fcntl.h>
#include <syslog.h>
/* Global Definitions --------------------------------------------*/
#define LOCAL_SERVER_PORT 623
#define MAX_MSG 100
/*----------------------------------------------------------------*/
/* Function writelog: Writes errors and messages to logs.         */
/*----------------------------------------------------------------*/
void writelog(char errmsg[])
{
syslog(LOG_INFO, errmsg);
}
/*----------------------------------------------------------------*/
/* Function daemonize: Forks the process and turns it into a      */
/* daemon.                                                        */ 
/*----------------------------------------------------------------*/
int daemonize(void)
{
pid_t pid;
int fd;
/* if we are started from init no need to become daemon */
if (getppid() == 1)
{
writelog("Portblocker: Instance already running");
return;
}
pid = (pid_t) fork();
if (pid < 0 || pid > 0)
{
writelog("Portblocker: Unable to fork");
exit(0);
}
if (setpgrp() == -1)
{
writelog("Portblocker: Unable to set process group");
exit(1);
}
pid = (pid_t) fork();
if (pid < 0 || pid > 0)
{
writelog("Portblocker: Unable to fork");
exit(0);
}
chdir("/");
umask(0);
for (fd=0; fd<64; fd++)
close(fd);
open("/dev/null", O_RDWR);
dup(0);
dup(0);
return(pid);
}
/*----------------------------------------------------------------*/
/* Main: Opens UDP listener on port 623 and then loops. Uses      */
/* daemonize to fork as a daemon if not started at boot time.     */
/*----------------------------------------------------------------*/
int main(int argc, char *argv[])
{
int sd, rc, n, cliLen;
int pid;
struct sockaddr_in cliAddr, servAddr;
char msg[MAX_MSG];
pid = daemonize();
/* socket creation */
if ( (sd=socket(AF_INET, SOCK_DGRAM, 0)) <0 )
{
writelog("Portblocker: cannot open socket");
exit(1);
}
/* bind local server port */
servAddr.sin_family = AF_INET;
servAddr.sin_addr.s_addr = htonl(INADDR_ANY);
servAddr.sin_port = htons(LOCAL_SERVER_PORT);
if ( (rc = bind (sd, (struct sockaddr *)
&servAddr,sizeof(servAddr))) <0 )
{
writelog("Portblocker: cannot bind to port");
exit(1);
}
writelog("Portblocker: Started successfully");
/* loop - keep the port alive */
while(1)
{
/* init buffer */
memset(msg,0x0,MAX_MSG);
/* receive message */
cliLen = sizeof(cliAddr);
if ( (n = recvfrom(sd, msg, MAX_MSG, 0, (struct sockaddr *)
&cliAddr, &cliLen)) <0 )
{
writelog("Portblocker: cannot receive data");
continue;
}
}/* end while loop */
return 0;
} /* end main */




 


Previously Published As 79519



Attachments

This solution has no attachment


















       

Copyright © 2018 Oracle, Inc.  All rights reserved.

 Feedback