Collect ILOM snapshot(s) by running STB7.3 and later domain Explorer

Asset ID:	1-71-1555123.1
Update Date:	2017-12-04
Keywords:

Solution Type Technical Instruction Sure

Solution 1555123.1 : Collect ILOM snapshot(s) by running STB7.3 and later domain Explorer

Applies to:

SPARC M5-32 - Version All Versions and later
SPARC T5-2 - Version All Versions and later
SPARC T4-2 - Version Not Applicable and later
SPARC T3-2 - Version Not Applicable and later
Sun Fire X4100 M2 Server - Version Not Applicable and later
Information in this document applies to any platform.

Goal

This document describes ILOM snapshot collection by running a domain Explorer. The Explorer module ilomsnaphot is completely re-written, starting with Services Tool Bundle (STB) 7.3. It applies to all the servers running ILOM 3.0 or later with domain(s) running Solaris 10 or Solaris 11 and describes the usage of the ilomsnapshot module of Explorer 7.3 (as part of STB7.3) or newer.

Solution

Please refer to Collecting snapshot on ILOM 3.x and later platforms [ID 1020204.1] for further details about collecting ILOM snapshot from ILOM or when using the ilomsnapshot module of Explorer 7.2 and before.

When running Explorer from the Solaris 10 or 11 domain, it's possible to collect the ILOM snapshot from the Service Processor. This is done via the ilomsnaphot module (explorer -w ilomsnapshot). The ilomsnapshot module can be run manually (interactive), and in an automated (non-interactive) version. Both options are described in this document.

This document applies to Explorer version 7.3 or above. We strongly recommend to run the latest version of Explorer. Explorer may be downloaded from "Oracle Services Tools Bundle (STB) - RDA/Explorer, SNEEP, ACT (Doc ID 1153444.1)".

The 'ilomsnapshot' Explorer module has been redesigned since Explorer 7.3 and the required setup has changed, including the input file expected content. The new module considers the following hosts:

Archive host - This is the host where the snapshot command will place the resulting file at via ftp/sftp.
Explorer host - This is the host where Explorer is actually being executed at.
ILOM SP - This is the ILOM host/SP where the snapshot command is executed at.

The Explorer host and the archive host can be the same, but do not necessarily have to be the same. Starting with Explorer 7.3, there are 2 setup files to consider :

'$HOME/.explorer' file:

This file will always be used. It will be used when running Explorer in interactive and non-interactive modes.
It will contain different sections. Each section will contain all the necessary information to collect the corresponding ILOM snapshot.

Input file 'ilomsnapshotinput.txt' :

Its permissions should be 400 or 600, otherwise will be ignored. This file will only be used when running in non-interactive mode and will contain the following information:

Provide the archival context information.
Provide the passwords needed to connect to the different ILOM hosts.

Some setup is needed at both the archive host (which the snapshot output will be sent to) and optionally the Explorer host (when using non-interactive mode). Basically, the ilomsnapshot module will behave as following

Module ilomsnapshot_start:

        Explorer will first connect to the Archive host to obtain the ILOM information (this information is contained in the different sections from '$HOME/.explorer' file at the archive host).
        Explorer will also verify that all the required setup is done at the Archive host.
        After this verification is completed, Explorer will connect to the ILOM host and launch the snapshot command.
        As ILOM snapshot command is asynchronous, Explorer will verify that the snapshot is running, will disconnect from the ILOM and continue to do run other Explorer modules.

Module ilomsnapshot_finish:

        Explorer will connect to the ILOM host where a snapshot has been launched.
        Explorer will poll the snapshot result until the snapshot has completed or a timeout is reached (20 minutes).
        Once the snapshot is completed, Explorer will disconnect from the ILOM host, and will connect again to the Archive host to obtain the snapshot file and perform cleanup.

Note for M5-32 servers : due to the 20 minutes timeout, it's very likely that the ILOM snaphot collection will not finished before the timeout expires. As a result, the Explorer output will not contain the ILOM snapshot.

Using the ilomsnaphot module for Explorer 7.3 and later can be summarized as following (details are described later in this document) :

When running in interactive mode:

        There is no need to create 'ilomsnapshotinput.txt' file.
        You need to create '$HOME/.explorer' file as described above in the archive host.
        User will interactively be prompted for:
            - Section name from '$HOME/.explorer' file to be used.
            - Archive user name.
            - Archive host name.
            - If a password is needed, Explorer will interactively prompt it.

When running in non-interactive mode:

        You need to create 'ilomsnapshotinput.txt' file as described above in the Explorer host.
        You need to create '$HOME/.explorer' file as described above in the archive host.
        You need to have one or more A records in 'ilomsnapshotinput.txt' file.
        For each A record, there must be a matching section in the '.explorer' file.
        The hostname in the A line is the archival hostname, the hostname in the section from '.explorer' file is the ILOM hostname.
        For each A line, the section in '.explorer' is used to collect a snapshot.
        If a password is needed, it goes looking for a matching I or T line in 'ilomsnapshotinput.txt'
            If password is found, it will be used.
            If password is not found Explorer will try to run without the password in case SSH certificates have been enabled.
            If no SSH certificates have been enabled and no password is found, the collection will not occur.

Archive host setup (always required)

The archival host must be a host that can be reached over the network by both the explorer host and the ILOM Service Processor. The archival and explorer host can be the same host. The archival host must have a valid user with a valid homedir to hold the snapshots.

The 'ilomsnapshot' module on the explorer host connects through 'su' or SSH as the specified user on the archive host to retrieve snapshot archival context from the ${HOME}/.explorer file. You should create that file in order to collect a snapshot.

Since other ILOM's or other SP's can use the same archival user, each of them has a specific section in the ${HOME}/.explorer file. File ${HOME}/.explorer should be owned by the archival user and its permissions should be 400 or 600.

A typical section looks like this:

[ILOM:t4_2_tvp540_e_sp]
CLN="FILE"
DIR="/home/explo/ilom_snapshot"
ENC="N"
HST="t4-2-tvp540-e-sp"
SCH="sftp"
TYP="normal-logonly"
USR="root"

For an ILOM section, we have:

A section header "[ILOM:name_of_section]" regroups a set of keywords and their values to describe a specific archival context. The section name must be a word, which is composed of letters, digits, and underscores.

"CLN" specifies the cleanup strategy. It supports the following strategies:
- "ALL": Removes all files from destination directory.
- "FILE": Removes the snapshot file collected by Oracle Explorer. (default)
- "NONE": Disables any cleanup.
- "PAT": Removes all files from the destination directory, with a name matching the indicated pattern.
  - For example, CLN="PAT:*.zip"

"DIR" indicates the snapshot directory location.
- If DIR is a full path the full path will be used.
- If DIR is not a full path, the path used will be relative to the archive user's $HOME directory.
- Its full path cannot contain single and double quote characters.
- The snapshot directory should be owned by the archival user and its permissions should be 700.

"ENC": the output encryption strategy.
- Output encryption is only allowed when running in interactive mode.
- It supports the following one
  - Y|y: Output encryption enabled (This will cause encryption pass-phrase to be prompted before running the snapshot command)
  - N|n: Output encryption disabled

"HST" specifies the ILOM host.
- When a hostname[.domain] is used, the ILOM must be able to resolve it. An IP address is an alternative.

"KEY" specifies an optional identification key, which can be used to indicate that multiple entries are using the same password.

"SCH": specifies the result file transfer scheme to be used. It supports the following ones: ftp, sftp

"TYP": specifies the snapshot dataset to use. It supports the following ones:
- normal
- normal-logonly
- fruid
- fruid-logonly

"USR" specifies the ILOM user, used to take the snapshot.

Further reference available from Oracle Explorer Data Collector: Modules, Module Groups, Module Aliases Summary [ID 1536532.1]

Explorer host setup (non-interactive mode only)

Using non-interactive mode also requires to create an input file (ilomsnapshotinput.txt) as usual :
Solaris 11 : /etc/explorer/
Solaris 10 and others : /etc/opt/SUNWexplo/

File ilomsnapshotinput.txt should be owned by root user and its permissions should be 400 or 600.

A typical ilomsnapshotinput.txt looks like this:

    T shared ilom_shared_password
    A archive.es.oracle.com explo_user t4_2_tvp540_e_sp explo_user_password
    I t4-2-tvp540-e-sp ilom_user ilom_password

The 'ilomsnapshotinput.txt' file contains 3 types of entries:

A type: describes how to connect to the archival context but also keeps the password if snapshot archival is used. The following fields can be present:

        "A" : type.
        HST: the archival host. When "-" is specified, explorer uses "su" to connect to the archival context, otherwise it uses SSH.
        USR: the archival user name.
        SCT: the archival section.
        PWD (optional): the archival password, which can be used both for the connection to the archival context as for the snapshot archival password.

I type: describes how to connect to the ILOM and contains the following fields:

        "I" : type.
        HST: the ILOM host. Connection to the ILOM will always be done using SSH.
        USR: the ILOM user name.
        PWD (optional): the ILOM password.

T type: describes how to connect to the ILOM and contains the following fields:

        "T" : type.
        KEY: the KEY field from the .explorer section.
        PWD (optional): the ILOM password

When the '.explorer' section is retrieved, Explorer tries to retrieve the corresponding I or T record from the 'ilomsnapshotinput.txt'.
When no I or T record is found, Explorer will prompt for the password if required. It's possible to exchange the ssh keys between ILOM and the host so the "I" entry is not needed.
When an I or T record is found, Explorer will never prompt for the password. When a password is present in the record, it will possibly be used when establishing the connection.

Snapshot execution

Once it has retrieved the snapshot context, this module gathers the following Integrated Lights Out Manager (ILOM) commands through SSH:

    set /X/diag/snapshot dataset="${DATASET}"
    set /X/diag/snapshot encrypt_output="${ENCRYPT}"
    set /X/diag/snapshot dump_uri="${SCH}://${USER}@${HOST}${DIR}"
    show /X/diag/snapshot result

${DATASET} represents the set of information to be collected.
${DIR} represents the location where the snapshot file will be placed in the archive host.
${ENCRYPT} represents the snapshot file encryption mode.
${HOST} represents the archive host.
${SCH} represents the scheme to be used for transferring the snapshot file to the archive host.
${USER} represents the user to connect to the archive host.

Example

In the following example, explorer executed as root on host t4-1-tvp540-f (solaris 11.1) will collect the ILOM snapshot from the SP t4-1-tvp540-f-sp as user expluser. t4-1-tvp540-f is used as archive host as well via user jack.

1. Create a user on the SP/CMM with the administration (a) role.

-> create /X/users/expluser
Creating user...
Enter new password: *********
Enter new password again: *********
Created /SP/users/expluser
-> set /X/users/expluser role=ao
Set 'role' to 'ao'

2. Load the public key - First, generate a key on the Explorer Host. This is the key that will be loaded on the SP / CMM (do not use passphrase) :

root@t4-1-tvp540-f:~# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
/root/.ssh/id_dsa already exists.
Overwrite (yes/no)? yes
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
59:56:85:73:0a:39:75:24:0a:57:1e:ff:24:16:8a:bd root@t4-1-tvp540-f

- Log to the SP/CMM from the Explorer Host as expluser :

root@t4-1-tvp540-f:~# ssh -l expluser t4-1-tvp540-f-sp
The authenticity of host 't4-1-tvp540-f-sp.' can't be established.
RSA key fingerprint is 6f:f9:3d:2e:c2:bc:1a:00:b2:4e:0a:b3:36:95:d7:3b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 't4-1-tvp540-f-sp' (RSA) to the list of known hosts.
Password:

Oracle(R) Integrated Lights Out Manager

Version 3.0.16.9.a r76782

Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.

Warning: The system appears to be in manufacturing test mode.
Contact Service immediately.

->

- Make sure to clear any existing key :

-> cd /SP/users/expluser/ssh/keys/1
/SP/users/expluser/ssh/keys/1

-> set clear_action=true
Are you sure you want to clear /SP/users/expluser/ssh/keys/1 (y/n)? y
Set 'clear_action' to 'true'

- Then load the key on the SP :

-> set load_uri=sftp://jack:password@t4-1-tvp540-f/root/.ssh/id_dsa.pub
Load successful.
-> ls -d properties
/SP/users/expluser/ssh/keys/1
    Properties:
        fingerprint = 59:56:85:73:0a:39:75:24:0a:57:1e:ff:24:16:8a:bd
        algorithm = ssh-dss
        embedded_comment = (none)
        bit_length = 1024
        load_uri = (Cannot show property)
        clear_action = (Cannot show property)

3. Log again to the SP user account from the Explorer Host, no more password requested

root@t4-1-tvp540-f:~# ssh -l expluser t4-1-tvp540-f-sp

Oracle(R) Integrated Lights Out Manager

Version 3.0.16.9.a r76782

Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.

Warning: The system appears to be in manufacturing test mode.
Contact Service immediately.

4. On the host (explorer host = archive host in this example), create and populate the ${HOME}/.explorer file for the user jack that will be used for archiving the snapshot in the ${HOME}/ilomsnapshot directory

jack@t4-1-tvp540-f:~$ ls -la ~/.explorer
-rw------- 1 jack staff 129 May 21 13:30 /home/jack/.explorer
jack@t4-1-tvp540-f:~$ more /home/jack/.explorer
[ILOM:t4_1_sp]
CLN="NONE"
DIR="ilomsnapshot"
ENC="N"
HST="t4-1-tvp540-f-sp"
SCH="sftp"
TYP="normal"
USR="expluser"

5. At this point, it's possible to collect the ILOM snapshot from t4-1-tvp540-f-sp in interactive mode. Note that the password for the user on the archive host will be prompted twice

root@t4-1-tvp540-f:~# explorer -w !default,ilomsnapshot,interactive
…
Defined ilomsnapshot archive contexts:

Select an action:
D Define new ilomsnapshot archive context
R Return
Enter the selection
Hit "Return" to accept the default (R)
> D

Enter the ilomsnapshot section name to use from .explorer file
> t4_1_sp

Enter the user for connecting to the ilomsnapshot archive host
> jack

Enter the host name or IP address of an ilomsnapshot archive host, or '-' for
localhost
> -

Defined ilomsnapshot archive contexts:
1 t4_1_sp from jack on local host

Select an action:
D Define new ilomsnapshot archive context
S Suppress an existing ilomsnapshot archive context
R Return
Enter the selection
Hit "Return" to accept the default (R)
> R

...
May 21 13:36:16 t4-1-tvp540-f[7685] ilomsnapshot_start:RUNNING
May 21 13:36:16 t4-1-tvp540-f[7685] ilomsnapshot_start:Starting snapshot on
                                                       t4-1-tvp540-f-sp
Enter jack password for archive host t4-1-tvp540-f:
Please re-enter it to confirm:
May 21 13:36:36 t4-1-tvp540-f[7685] ilomsnapshot_start:Data gathering started
                                                       for
                                                       t4-1-tvp540-f-sp
…
May 21 13:37:47 t4-1-tvp540-f[7685] ilomsnapshot_finish:RUNNING
May 21 13:37:47 t4-1-tvp540-f[7685] ilomsnapshot_finish:Collecting snapshot
                                                        from
                                                        t4-1-tvp540-f-sp
                                                        (can take time)
May 21 13:42:44 t4-1-tvp540-f[7685] ilomsnapshot_finish:Data gathering
                                                        complete for
                                                        t4-1-tvp540-f-sp
…
May 21 13:42:46 t4-1-tvp540-f[7685] explorer: Explorer finished

As a result, the ILOM snapshot is available in the ilom explorer directory

root@t4-1-tvp540-f:~# ls -la /var/explorer/output/explorer.85e8e8c2.t4-1-tvp540-f-2013.05.21.12.35/ilom/t4-1-tvp540-f-sp/
total 32
drwx------   2 root     root           5 May 21 13:42 .
drwx------   3 root     root           3 May 21 13:42 ..
-rw-------   1 root     root        2100 May 21 13:42 ilomsnapshot_finish.out
-rw-------   1 root     root         427 May 21 13:36 ilomsnapshot_start.out
-rw-------   1 root     root          50 May 21 13:42 t4-1-tvp540-f-sp_1.2.3.4_2013-05-21T12-22-57.zip

and of course in the homedir for user jack as no cleanup requested in the .explorer file

jack@t4-1-tvp540-f:~$ ls -la ~/ilomsnapshot/
total 15403
drwx------   2 jack     staff          5 May 21 13:36 .
drwxr-xr-x   3 jack     staff          7 May 21 13:30 ..
-rw-r--r--   1 jack     staff    2592664 May 21 13:42 t4-1-tvp540-f-sp._1.2.3.4_2013-05-21T12-22-57.zip

From the ILOM SP, the snapshot collection can be confirmed as following

-> ls

/SP/diag/snapshot
    Targets:

    Properties:
        dataset = normal
        dump_uri = (Cannot show property)
        encrypt_output = false
        result = Collecting data into sftp://jack@t4-1-tvp540-f/home/jack/ilomsnapshot/t4-1-tvp540-f-sp_1.2.3.4_2013-05-21T12-22-57.zip
Snapshot Complete.
Done.

6. in order to perform the similar data collection in non-interactive mode, create and populate the ilomsnapshotinput.txt file

root@t4-1-tvp540-f:~# ls -la /etc/explorer/ilomsnapshotinput.txt
-rw-------   1 root     root          39 May 21 12:08 /etc/explorer/ilomsnapshotinput.txt
root@t4-1-tvp540-f:~# more /etc/explorer/ilomsnapshotinput.txt
A t4-1-tvp540-f jack t4_1_sp password

Since the keys have been exchanged, no "I" record needed.
and start the explorer data collection which is no longer ask for any input.

root@t4-1-tvp540-f:~# explorer -w ilomsnapshot
…
May 21 13:54:44 t4-1-tvp540-f[9180] ilomsnapshot_start:RUNNING
May 21 13:54:50 t4-1-tvp540-f[9180] ilomsnapshot_start:Starting snapshot on
                                                       t4-1-tvp540-f-sp
May 21 13:55:01 t4-1-tvp540-f[9180] ilomsnapshot_start:Data gathering started
                                                       for
                                                       t4-1-tvp540-f-sp
…
May 21 13:56:13 t4-1-tvp540-f[9180] ilomsnapshot_finish:RUNNING
May 21 13:56:13 t4-1-tvp540-f[9180] ilomsnapshot_finish:Collecting snapshot
                                                        from
                                                        t4-1-tvp540-f-sp
                                                        (can take time)
May 21 14:01:15 t4-1-tvp540-f[9180] ilomsnapshot_finish:Data gathering
                                                        complete for
                                                        t4-1-tvp540-f-sp
…
May 21 14:01:18 t4-1-tvp540-f[9180] explorer: data collection complete
May 21 14:01:19 t4-1-tvp540-f[9180] explorer: Removing previous explorers from /var/explorer/output ...
May 21 14:01:19 t4-1-tvp540-f[9180] explorer: Explorer finished

root@t4-1-tvp540-f:~# ls -la /var/explorer/output/explorer.85e8e8c2.t4-1-tvp540-f-2013.05.21.12.54/ilom/t4-1-tvp540-f-sp/
total 5157
drwx------   2 root     root           5 May 21 14:01 .
drwx------   3 root     root           3 May 21 14:01 ..
-rw-------   1 root     root        2100 May 21 14:01 ilomsnapshot_finish.out
-rw-------   1 root     root         427 May 21 13:55 ilomsnapshot_start.out
-rw-------   1 root     root     2594875 May 21 14:01 t4-1-tvp540-f-sp_1.2.3.4_2013-05-21T12-41-22.zip

jack@t4-1-tvp540-f:~$ ls -la ~/ilomsnapshot/
total 20530
-rw-r--r--   1 jack     staff    2592664 May 21 13:42 t4-1-tvp540-f-sp_1.2.3.4_2013-05-21T12-22-57.zip
-rw-r--r--   1 jack     staff    2594875 May 21 14:01 t4-1-tvp540-f-sp_1.2.3.4_2013-05-21T12-41-22.zip

-> ls

/SP/diag/snapshot
    Targets:

    Properties:
        dataset = normal
        dump_uri = (Cannot show property)
        encrypt_output = false
        result = Collecting data into sftp://jack@t4-1-tvp540-f/home/jack/ilomsnapshot/t4-1-tvp540-f-sp_1.2.3.4_2013-05-21T12-41-22.zip
Snapshot Complete.
Done.

Attachments

This solution has no attachment