<html><body><div style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000"><div><style><!--

@font-face
        {font-family:宋体;
        panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
        {font-family:宋体;
        panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:"\@宋体";
        panose-1:2 1 6 0 3 1 1 1 1 1;}

p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:宋体;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style></div><div>On dell DRAC you can disable IPMI/RAC control at the the device for OS configuration.</div><div><br data-mce-bogus="1"></div><div>With Supermicro IPMI you just need to create a random user and random password that is not "admin".</div><div><br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div data-marker="__SIG_PRE__"><div style="color: #000000; font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><div style="word-wrap: break-word;"><div id="">_____________________________________________<br><br><div class="" style="font-family: Calibri;"><div style="font-family: 'Century Gothic', sans-serif;"><div style="word-wrap: break-word;"><div style="word-wrap: break-word;"><b>Tyler Bishop</b></div><div style="word-wrap: break-word;"><span style="font-size: 10pt;">Founder EST 2007</span></div><div style="word-wrap: break-word;"><span style="font-size: 10pt;"></span><br></div><div style="word-wrap: break-word;"><img src="http://static.beyondhosting.net/email/logo-sig.jpg" data-mce-src="http://static.beyondhosting.net/email/logo-sig.jpg"></div><div style="word-wrap: break-word;"><br></div><div style="word-wrap: break-word;"><span style="font-family: 'Century Gothic'; orphans: 2; widows: 2; font-size: 13px; color: #919191;">O:</span><span style="font-family: 'Century Gothic'; orphans: 2; widows: 2; font-size: 13px;"> </span><span style="font-family: 'Century Gothic'; letter-spacing: 0px; orphans: 2; widows: 2; font-size: 13px;">513-299-7108 x10</span></div></div></div><div style="font-family: 'Century Gothic', sans-serif;"><div style="word-wrap: break-word;"><div style="word-wrap: break-word;"><div style="word-wrap: break-word;"><div style="margin: 0px;"><span style="font-size: 13px; letter-spacing: 0px;"><span style="color: #919191;">M:</span><span class="x_Apple-style-span" style="color: #ababab;"> </span></span><span style="font-size: 13px;">513-646-5809</span></div><div style="margin: 0px;"><span style="font-size: 10pt;"><a href="http://beyondhosting.net" target="_blank">http://BeyondHosting.net</a></span></div><div style="margin: 0px;"><br></div></div></div></div><div style="word-wrap: break-word;"><div style="word-wrap: break-word;"><div style="word-wrap: break-word;"><div style="word-wrap: break-word;"><div style="word-wrap: break-word;"><div style="word-wrap: break-word;"><div style="word-wrap: break-word;"><div style="word-wrap: break-word;"><div style="word-wrap: break-word;"><div style="word-wrap: break-word;"><br></div></div></div></div></div></div></div></div></div><div style="word-wrap: break-word;"><div style="word-wrap: break-word;"><div style="word-wrap: break-word;"><div style="word-wrap: break-word;"><div style="word-wrap: break-word;"><div style="word-wrap: break-word;"><div style="margin: 0px; font-size: 13px; min-height: 16px;"><span style="font-size: 9px; letter-spacing: 0px;"><span style="font-family: 'Century Gothic';">This email is intended only for the recipient(s) above and/or otherwise authorized personnel. The information contained herein and attached is confidential and the property of Beyond Hosting. Any unauthorized copying, forwarding, printing, and/or disclosing any information related to this email is prohibited. If you received this message in error, please contact the sender and destroy all copies of this email and any attachment(s).</span></span></div></div></div></div></div></div></div></div></div></div></div></div></div></div><div><br></div><hr id="zwchr" data-marker="__DIVIDER__"><div data-marker="__HEADERS__"><b>From: </b>"Guo James" <guoyongxhzhf@outlook.com><br><b>To: </b>xiefp88@sina.com, "openstack" <openstack@lists.openstack.org><br><b>Sent: </b>Wednesday, January 10, 2018 10:16:34 PM<br><b>Subject: </b>Re: [Openstack] [ironic] how to prevent ironic user to controle ipmi through OS?<br></div><div><br></div><div data-marker="__QUOTED_TEXT__">






<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D">Ironic user can change ipmi address so that OpenStack ironic lose control of bare mental.</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D">I think that is unacceptable.</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D">It seems that we should make ironic image without root privilege</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> xiefp88@sina.com [mailto:xiefp88@sina.com]
<br>
<b>Sent:</b> Thursday, January 11, 2018 9:12 AM<br>
<b>To:</b> Guo James; openstack<br>
<b>Subject:</b> </span><span style="font-size:10.0pt">回复：</span><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">[Openstack] [ironic] how to prevent ironic user to controle ipmi through OS?</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">If you can not get the usename and password of the OS, you can not modify ipmi configuration through you got the ironic user info.</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div id="origbody">
<div>
<p class="MsoNormal" style="background:#F2F2F2"><span lang="EN-US">----- </span>原始邮件<span lang="EN-US"> -----<br>
</span>发件人：<span lang="EN-US">Guo James <<a href="mailto:guoyongxhzhf@outlook.com" target="_blank">guoyongxhzhf@outlook.com</a>><br>
</span>收件人：<span lang="EN-US">"<a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a>" <<a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a>><br>
</span>主题：<span lang="EN-US">[Openstack] [ironic] how to prevent ironic user to controle ipmi through OS?<br>
</span>日期：<span lang="EN-US">2018</span>年<span lang="EN-US">01</span>月<span lang="EN-US">10</span>日<span lang="EN-US"> 17</span>点<span lang="EN-US">21</span>分<span lang="EN-US"></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US"><br>
I notice that after an ironic user get a bare mental successfully, he can access ipmi through ipmi device although he can't access ipmi through LAN<br>
How to prevent the situation?<br>
If he modify ipmi configuration, that will be mess.<br>
_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a></span></p>
</div>
</div>
</div>


<br>_______________________________________________<br>Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack<br>Post to     : openstack@lists.openstack.org<br>Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack<br></div></div></body></html>