<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Century Gothic";
panose-1:2 11 5 2 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:SimSun;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.StylE-mailovZprvy17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.xapple-style-span
{mso-style-name:x_apple-style-span;}
span.StylE-mailovZprvy19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=CS link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>How about HPE iLO, does anyone know a way to disable access from the OS?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Tyler Bishop [mailto:tyler.bishop@beyondhosting.net] <br><b>Sent:</b> Sunday, January 28, 2018 2:01 AM<br><b>To:</b> Guo James<br><b>Cc:</b> openstack<br><b>Subject:</b> Re: [Openstack] [ironic] how to prevent ironic user to controle ipmi through OS?<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:black'>On dell DRAC you can disable IPMI/RAC control at the the device for OS configuration.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:black'>With Supermicro IPMI you just need to create a random user and random password that is not "admin".<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:black'><o:p> </o:p></span></p></div><div><div><div><div id=""><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-family:"Calibri","sans-serif";color:black'>_____________________________________________<o:p></o:p></span></p><div><div><div><div><p class=MsoNormal><b><span style='font-family:"Century Gothic","sans-serif";color:black'>Tyler Bishop</span></b><span style='font-family:"Century Gothic","sans-serif";color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Century Gothic","sans-serif";color:black'>Founder EST 2007</span><span style='font-family:"Century Gothic","sans-serif";color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Century Gothic","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Century Gothic","sans-serif";color:black;border:solid windowtext 1.0pt;padding:0cm'><img width=100 height=100 id="_x0000_i1025" src="cid:~WRD000.jpg" alt="Obrázek byl odebrán odesílatelem."></span><span style='font-family:"Century Gothic","sans-serif";color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Century Gothic","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Century Gothic","sans-serif";color:#919191'>O:</span><span style='font-size:10.0pt;font-family:"Century Gothic","sans-serif";color:black'> 513-299-7108 x10</span><span style='font-family:"Century Gothic","sans-serif";color:black'><o:p></o:p></span></p></div></div></div><div><div><div><div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Century Gothic","sans-serif";color:#919191'>M:</span><span class=xapple-style-span><span style='font-size:10.0pt;font-family:"Century Gothic","sans-serif";color:#ABABAB'> </span></span><span style='font-size:10.0pt;font-family:"Century Gothic","sans-serif";color:black'>513-646-5809</span><span style='font-family:"Century Gothic","sans-serif";color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Century Gothic","sans-serif";color:black'><a href="http://beyondhosting.net" target="_blank">http://BeyondHosting.net</a></span><span style='font-family:"Century Gothic","sans-serif";color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Century Gothic","sans-serif";color:black'><o:p> </o:p></span></p></div></div></div></div><div><div><div><div><div><div><div><div><div><div><p class=MsoNormal><span style='font-family:"Century Gothic","sans-serif";color:black'><o:p> </o:p></span></p></div></div></div></div></div></div></div></div></div><div><div><div><div><div><div><div><p class=MsoNormal><span style='font-size:7.0pt;font-family:"Century Gothic","sans-serif";color:black'>This email is intended only for the recipient(s) above and/or otherwise authorized personnel. The information contained herein and attached is confidential and the property of Beyond Hosting. Any unauthorized copying, forwarding, printing, and/or disclosing any information related to this email is prohibited. If you received this message in error, please contact the sender and destroy all copies of this email and any attachment(s).</span><span style='font-size:10.0pt;font-family:"Century Gothic","sans-serif";color:black'><o:p></o:p></span></p></div></div></div></div></div></div></div></div></div></div></div></div></div></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:black'><o:p> </o:p></span></p></div><div class=MsoNormal align=center style='text-align:center'><span style='font-family:"Arial","sans-serif";color:black'><hr size=2 width="100%" align=center id=zwchr></span></div><div><p class=MsoNormal><b><span style='font-family:"Arial","sans-serif";color:black'>From: </span></b><span style='font-family:"Arial","sans-serif";color:black'>"Guo James" <guoyongxhzhf@outlook.com><br><b>To: </b>xiefp88@sina.com, "openstack" <openstack@lists.openstack.org><br><b>Sent: </b>Wednesday, January 10, 2018 10:16:34 PM<br><b>Subject: </b>Re: [Openstack] [ironic] how to prevent ironic user to controle ipmi through OS?<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D'>Ironic user can change ipmi address so that OpenStack ironic lose control of bare mental.</span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D'>I think that is unacceptable.</span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D'>It seems that we should make ironic image without root privilege</span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span style='color:black'><o:p></o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'> xiefp88@sina.com [mailto:xiefp88@sina.com] <br><b>Sent:</b> Thursday, January 11, 2018 9:12 AM<br><b>To:</b> Guo James; openstack<br><b>Subject:</b> </span><span style='font-size:10.0pt;color:black'>回复:</span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>[Openstack] [ironic] how to prevent ironic user to controle ipmi through OS?</span><span style='color:black'><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US style='color:black'> </span><span style='color:black'><o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US style='color:black'>If you can not get the usename and password of the OS, you can not modify ipmi configuration through you got the ironic user info.</span><span style='color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='color:black'> </span><span style='color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='color:black'> </span><span style='color:black'><o:p></o:p></span></p></div><div id=origbody><div><p class=MsoNormal style='background:#F2F2F2'><span lang=EN-US style='color:black'>----- </span><span style='color:black'>原始邮件</span><span lang=EN-US style='color:black'> -----<br></span><span style='color:black'>发件人:</span><span lang=EN-US style='color:black'>Guo James <<a href="mailto:guoyongxhzhf@outlook.com" target="_blank">guoyongxhzhf@outlook.com</a>><br></span><span style='color:black'>收件人:</span><span lang=EN-US style='color:black'>"<a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a>" <<a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a>><br></span><span style='color:black'>主题:</span><span lang=EN-US style='color:black'>[Openstack] [ironic] how to prevent ironic user to controle ipmi through OS?<br></span><span style='color:black'>日期:</span><span lang=EN-US style='color:black'>2018</span><span style='color:black'>年</span><span lang=EN-US style='color:black'>01</span><span style='color:black'>月</span><span lang=EN-US style='color:black'>10</span><span style='color:black'>日</span><span lang=EN-US style='color:black'> 17</span><span style='color:black'>点</span><span lang=EN-US style='color:black'>21</span><span style='color:black'>分<o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US style='color:black'><br>I notice that after an ironic user get a bare mental successfully, he can access ipmi through ipmi device although he can't access ipmi through LAN<br>How to prevent the situation?<br>If he modify ipmi configuration, that will be mess.<br>_______________________________________________<br>Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a></span><span style='color:black'><o:p></o:p></span></p></div></div><p class=MsoNormal><span style='font-family:"Arial","sans-serif";color:black'><br>_______________________________________________<br>Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack<br>Post to : openstack@lists.openstack.org<br>Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack<o:p></o:p></span></p></div></div></div></body></html>