bmcbutler
About
Bmcbutler is a BMC (Baseboard Management Controller) configuration management tool that uses bmclib.
Configuration support
| Hardware | User accounts | Syslog | NTP | Ldap | Ldap groups | BIOS | HTTPS Cert |
|---|---|---|---|---|---|---|---|
| Dell M1000e | - | ||||||
| Dell iDRAC8 | |||||||
| Dell iDRAC9 | |||||||
| HP c7000 | - | ||||||
| HP iLO4 | |||||||
| HP iLO5 | |||||||
| Supermicro X10 |
Need help? See kiwiirc link above/find us on the freenode IRC channel ##bmc-toolbox.
Build
go get github.com/bmc-toolbox/bmcbutler
Build with vendored modules (>= go 1.11)
GO111MODULE=on go build -mod vendor -v
Notes on working with go mod
To point to a local copy of bmclib, add to the bottom of the go.mod file
replace github.com/bmc-toolbox/bmclib => ../bmclib
To pick a specific bmclib SHA.
GO111MODULE=on go get github.com/bmc-toolbox/bmclib@2d1bd1cb
To add/update the vendor dir.
GO111MODULE=on go mod vendor
Setup
There's two parts to setting up configuration for bmcbutler,
- Bmcbutler configuration
- Configuration for BMCs
This document assumes the Bmcbutler configuration directory is ~/.bmcbutler.
Bmcbutler configuration
Setup configuration Bmcbutler requires to run.
# create a configuration directory for ~/.bmcbutler
mkdir ~/.bmcbutler/
Copy the sample config into ~/.bmcbutler/ bmcbutler.yml sample
BMC configuration
Configuration to be applied to BMCs.
# create a directory for BMC config
mkdir ~/.bmcbutler/cfg
add the BMC yaml config definitions in there, for sample config see configuration.yml sample
bmc configuration templating
configuration.yml supports templating, for details see configTemplating
inventory
Bmcbutler was written with the intent of sourcing inventory assets and configuring their bmcs, a csv inventory example is provided to play with.
The 'inventory' parameter points Bmcbutler to the inventory source.
BMC HTTPS cert signing
Bmcbutler can manage certs for BMCs, It compares the current HTTPS cert Subject attributes of a BMC with the ones declared in its configuration, if the attributes don't match, it proceeds to,
- Generate a CSR on the BMC using the Subject attributes declared in its configuration.
- Pass the CSR to the signer executable, read the signed cert.
- Upload the signed cert to the BMC.
- Reset the BMC if required.
To have this setup,
- Declare a
https_certconfiguration section in the BMC config template, see configuration.yml sample - Declare a signer executable in the bmcbutler config, see bmcbutler.yml sample
The signer executable is required to accept a CSR through STDIN and spit out the signed cert through STDOUT. An example signer that uses lemur can be found under helpers
Load credentials from Vault
Credentials to login to BMCs and configure them can be declared in the configuration file, or can be looked up from Vault.
To setup secrets lookup from Vault,
- enable
secretsFromVault: truein bmcbutler.yml - Use the
lookup_secret::Administratorparameter in place of the credential in bmcbutler.yml - Use the
<%= lookup_secret("Administrator") %>YAML templating parameter in place of credentials in configuration.yml sample - See the sample bmcbutler.yml for options to set the vault token.
Examples
Set credentials in Vault, using --config and command substitution to prevent leaking the vault token
to other processes (command line arguments are visible to all processes).
curl --config <( builtin printf 'header = "X-Vault-Token: %s"' "${VAULT_TOKEN}" ) \
-H "Content-Type: application/json" \
-X POST -d '{"Administrator": "hunter2", "Ops": "foobar"}' https://vault.example.com/v1/secret/baremetal/bmc
Check credentials were set
curl --config <( builtin printf 'header = "X-Vault-Token: %s"' "${VAULT_TOKEN}" ) \
-X GET https://vault.example.com/v1/secret/baremetal/bmc
bmcbutler.yml - declare Vault config and replace credentials
secretsFromVault: true
vault:
hostAddress: "http://172.18.0.2:8200"
tokenFromFile: "samples/vault-token.test"
secretsPath: /secret/baremetal/bmc
credentials:
- Administrator: lookup_secret::Administrator
- Administrator: lookup_secret::Admin2
- root: lookup_secret::dell_default
- ADMIN: lookup_secret::sm_default
configuration.yml - declare BMC user account config with lookup_secrets template method.
user:
- name: Administrator
# lookup_secret - requires 'secretsFromVault: true' in bmcbutler.yml
# note - double quotes required
password: <%= lookup_secret("Administrator") %>
role: admin
enable: true
- name: Ops
password: <%= lookup_secret("Ops") %>
role: user
enable: false
Run
Configure Blades/Chassis/Discretes
#configure all BMCs in inventory, dry run with debug output
bmcbutler configure --all --dryrun --debug
#configure all servers in given locations
bmcbutler configure --servers --locations ams2
#configure all chassis in given locations
bmcbutler configure --chassis --locations ams2,lhr3
#configure all servers in given location, spawning given butlers
bmcbutler configure --servers --locations lhr5 --butlers 200
#configure one or more BMCs identified by IP(s)
bmcbutler configure --ips 192.168.0.1,192.168.0.2,192.168.0.2
#configure one or more BMCs identified by serial(s) and trace log
bmcbutler configure --serials <serial1>,<serial2> --trace
bmcbutler configure --serial <serial1>,<serial2> --debug
bmcbutler configure --serial <serial> --debug
#Apply specific configuration resource(s) and trace log
bmcbutler configure --ips 192.168.1.4 --resources ntp,syslog,user --trace
Acknowledgment
bmcbutler was originally developed for Booking.com. With approval from Booking.com, the code and specification were generalized and published as Open Source on github, for which the authors would like to express their gratitude.