Static ipmitool on VMWare ESXi

TL;DR

You can use Docker to build a staticly linked ipmitool that will run on VMWare ESXi 5.x to confgure a Dell iDRAC's network settings. Read on for details of how this works.

Motivation

Imagine that you have a set of Dell servers running VMWare ESXi colocated in a data centre. And that you are concerned that you might need to interact with the servers before they have fully booted -- perhaps when they are not booted -- so that ssh and the VMWare management interfaces cannot be used. In those instances it would be very useful to be able to interact with the console of the remote machines, and at least reassure yourself that they are still booting.

If your Dell Servers were bought with Dell iDRAC support, then you have the hardware you need -- you just need to cable it up to some out of band network (ideally via some independent Internet connection so you do not rely on your own routers having booted), and configure the iDRAC network interface so you can reach it via that out of band network.

The cabling part is fairly easy -- give or take a trip to the data centre. But by default the configuration of the iDRAC can be done on the server only by interrupting the boot process at the appropriate point. Which would mean rebooting the ESXi servers. The production ESXi servers. Yes it is a cluster, but that is a lot of shuffling VMs around to free up one host at a time so it can be rebooted, which is a lot of time in the data centre.

On Linux and Microsoft Windows, Dell provide a racadm tool which can be used to configure basic features of the Dell iDRAC -- enough that you can then get in via the web interface and configure the rest. The only trick is making sure that you use the correct version for your iDRAC card -- inexplicably Dell appear to have not only changing the configuration interface between versions but also provided separate binaries for each version (rather than auto-detecting the installed card and supporting all the protocols in one program). With the wrong version for your iDRAC card, you will be very confused why it does not seem to work.

Unfortuantely there is no VMWare ESXi version of the local racadm (at least that I have been able to find). And the remote racadm needs the IP address and username/password of the iDRAC to talk to... which brings us back to the first problem.

But conveniently the Dell iDRAC is based on IPMI 2.0, which means that IPMI tools can be used to access some of the functionality. (This seems to have been true since the Dell DRAC 5; there is even a Dell guide to using ipmitool with the older PowerEdge servers.)

`ipmitool`

On Linux, one of the standard tools for interacting with the IPMI (locally and remotely) is ipmitool (which unfortunately seems to still be hosted on the increasingly untrustworthy SourceForge -- but source tarballs are also available via major Linux vendors). Ryan Chapman discovered that a "statically" linked Linux ipmitool would run on VMWare ESXi 4.1, and John found this still works on VMWare ESXi 5.1, as did Mitchell Turner.

The main requirements for using a Linux ipmitool under VMWare ESXi seem to be (a) ensuring it is built on a Linux release that is approximately old enough to match the libc and kernel versions of the VMWare ESXi host, (b) buliding a 32-bit binary, and (c) making sure it is statically linked. (Possibly either matching libc versions or statically linked would be sufficient, but aiming for both maximises the chances of it working.)

On VMWare ESXi 5.0 (still in use due to being a well stabilised combination of software and drivers, pending a jump to ESXi 6.x), the libc there was:

~# /lib/libc.so.6
GNU C Library vmware release version 2.5, by Roland McGrath et al.
[...]
Compiled by GNU CC version 4.1.2 20070626 (Red Hat 4.1.2-14).
Compiled on a Linux 2.6.9 system on 2015-01-29.

compiled with a compiler and on a kernel version which are roughly equivalent to CentOS 4, of which the last release was CentOS 4.9, and support ended about three years ago.

32-bit CentOS 4.9 build environment

So we wanted a 32-bit CentOS 4.9 build environment. Since I did not fancy doing a full install of an ancient Linux system (into a VM) just to build a single tool I went looking for a more convenient answer. It turns out that while the official CentOS Docker images are only 64-bit (x86_64) and only start with CentOS 5, Brian Lalor has produced an unofficial Docker build script to make a base CentOS 4.9 image. Unfortuantely that too was 64-bit (x86_64) but with some simple tweaks it is possible to get it to build a 32-bit (i386) CentOS 4.9 base image:

git clone https://github.com/blalor/docker-centos4-base.git
cd docker-centos4-base
vi build.sh       # Change arch from x86_64 to i386, comment out EPEL
docker run --privileged -i -t -v $PWD:/srv centos:centos6 /srv/build.sh i386
docker build -t centos4_i386 .

The docker run produces a centos49.tar.gz chroot tarball (a bit like debootstrap on Debian), and the docker build builds a Docker image with just that tarball unpacked inside it. (My docker-centos4-base build.sh script takes the architecture as a command line parameter; if I get a chance to make that a bit less hacky I will try to push it back upstream.)

CentOS 4.9 build environment fixups

From there, it just a matter of fixing up the 32-bit CentOS environment to force it to install 32-bit binaries (by default it will install binaries for $basearch which will be 64-bit), and then installing the minimal ipmitool build dependencies. To do this by hand:

docker run -it centos4_i386 /bin/bash
cat /etc/yum.repos.d/CentOS-Base.repo       | 
    sed 's/\$basearch/i386/; s/\]/-i386]/;' |
    tee /etc/yum.repos.d/CentOS-i386.repo
sed -i '/protect=1/a enabled=0' /etc/yum.repos.d/CentOS-Base.repo

(these examples chosen to avoid IO redirection as the angle brackets conflict with the HTML markup :-( ). And then it is necesssary to manually install the CentOS 4 yum key before installing packages:

curl -L -o /tmp/RPM-GPG-KEY-centos4 http://mirror.centos.org/centos/RPM-GPG-KEY-centos4
sha256sum /tmp/RPM-GPG-KEY-centos4
# Should be:
# 57821109aeb5f27805b80be03e31b1d978f3b7c7464c684169b1d341ff4d7021  /tmp/RPM-GPG-KEY-centos4
rpm --import /tmp/RPM-GPG-KEY-centos4

Building static `ipmitool`

NOTE: If you have Docker running, you can can use Docker to build a staticly linked ipmitool that will run on VMWare ESXi 5.x automatically. The Dockerfile automates the build environment tidying up above and all the build steps below. The build steps below are listed for completeness in case you want to do it by hand in some other environment.

Building ipmitool is fairly simple, thanks to it having very few dependencies. It just needs gcc4 and make:

yum -y install gcc4 make

First download the source archive, eg:

curl -L -o ipmitool_1.8.14.tar.gz http://http.debian.net/debian/pool/main/i/ipmitool/ipmitool_1.8.14.orig.tar.gz

(this one from Debian's archive, which I trust more than Sourceforge now), and then verify the checksum:

sha256sum ipmitool_1.8.14.tar.gz
# Should be:
# fe9bce4587f83fe0fd7c4d86fd3241fe41cb661ebc5c7321128d59cc295874ab  ipmitool_1.8.14.tar.gz

and then unpack it:

tar -xzf ipmitool_1.8.14.tar.gz

and build a 32-bit binary:

cd ipmitool-1.8.14
CC=gcc4 CFLAGS=-m32 LDFLAGS=-static ./configure
make

Note however that despite the -static this will not be a static binary. This is because ipmitool uses libtool for linking, and libtool has its own interpretation of -static: to libtool it means "do not build dynamic libraries", but it will still dynamically link executables against "system" libraries. This explains the problem Ryan Chapman found with not getting a static binary. To really get a static binary you need to tell libtool to use -all-static. But unfortunately we cannot set that in LDFLAGS, because gcc does not understand -all-static... and some of the configure tests use gcc directly for linking, so they will fail :-( The work around is to manually staticly link the binary again (after building with -static):

cd src
/bin/sh ../libtool --silent --tag=CC --mode=link gcc4 -m32 \
    -fno-strict-aliasing -Wreturn-type -all-static         \
    -o ipmitool.static                                     \
       ipmitool.o ipmishell.o ../lib/libipmitool.la plugins/libintf.la

(which is just the Makefile generated command with -all-static in place of -static, and a new output filename.)

Actually the resulting binary is not completely static. Certain name resolution related functions like getaddrinfo() and gethostbyname() will still use dynamic libraries (I assume due to nsswitch). There will be some static linking warnings about this as a result. But for simple local IPMI lan configuration it appears to be safe to ignore these warnings -- the affected code never gets run.

Using the static `ipmitool`

The static ipmitool can then be copied onto your VMWare ESXi 5.x server by enabling the ssh server on your ESXi host and then:

scp -p ipmitool.static root@${ESXHOST}:/scratch
ssh root@${ESXHOST}
/scratch/ipmitool.static

For instance:

~ # /scratch/ipmitool.static lan print 1
Set in Progress         : Set Complete
Auth Type Support       : NONE MD2 MD5 PASSWORD
Auth Type Enable        : Callback : MD2 MD5
                        : User     : MD2 MD5
                        : Operator : MD2 MD5
                        : Admin    : MD2 MD5
                        : OEM      :
IP Address Source       : Static Address
IP Address              : 10.0.9.17
Subnet Mask             : 255.255.255.0
MAC Address             : 14:fe:b5:d5:52:b4
SNMP Community String   : public
IP Header               : TTL=0x40 Flags=0x40 Precedence=0x00 TOS=0x10
BMC ARP Control         : ARP Responses Enabled, Gratuitous ARP Disabled
Default Gateway IP      : 10.0.9.1
Default Gateway MAC     : 00:00:00:00:00:00
Backup Gateway IP       : 0.0.0.0
Backup Gateway MAC      : 00:00:00:00:00:00
802.1q VLAN ID          : Disabled
802.1q VLAN Priority    : 0
RMCP+ Cipher Suites     : 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14
Cipher Suite Priv Max   : aaaaaaaaaaaaaaa
                        :     X=Cipher Suite Unused
                        :     c=CALLBACK
                        :     u=USER
                        :     o=OPERATOR
                        :     a=ADMIN
                        :     O=OEM
~ #

If for some reason you need to set the LAN interface, the usual ipmitool commands for setting will work, eg:

/scratch/ipmitool.static lan set 1 ipaddr 10.0.9.17
/scratch/ipmitool.static lan set 1 defgw ipaddr 10.0.9.1

and you can do ipmitool lan print 1 to verify that the settings were updated.

So far only basic LAN settings printing and configuration has been tested. But that is sufficient to get enough up without having to take the ESXi server into Maintenance that the rest can be configured through the iDRAC web interface.

ETA, 2015-07-20: It turns out there is another Dell iDRAC specific IPMI command: "ipmitool.static delloem lan". For an iDRAC Express it will show something like:

~ # /scratch/ipmitool.static delloem lan get
Shared LOM   :  shared with lom1
Failover LOM :  None
~ #

And for an iDRAC Enterprise it will show something like:

~ # /scratch/ipmitool.static delloem lan get
dedicated
~ #

You can attempt to change it to dedicated if you have an iDRAC Enterprise license with:

./ipmitool.static delloem lan set dedicated

but if it fails with an error:

~ # ./ipmitool.static delloem lan set dedicated 
FM001 : A required license is missing or expired
~ #

then you either have only an iDRAC Express license, or the iDRAC Enterprise license is not installed properly; using a dedicated port is an iDRAC Enterprise feature.

Finally of note, in Dell speak "shared with lom1" means shared with LAN-on-Motherboard 1 -- ie, shared with one of the regular LAN ports on the motherboard -- rather than "Lights Out Management" as that acronym would mean in other vendors documentation. (Dell of course use "iDRAC" for what other vendors call "Lights out Management", ie, "LOM".)