How to configure the privilege level of an IPMI user in fence_ipmilan in a RHEL 5 or 6 cluster

Solution Verified - Updated 7 Aug 2024

Environment

Red Hat Enterprise Linux (RHEL) 5 or 6 with the High Availability Add On
Red Hat Enterprise Virtualization Hypervisor (RHEV-H) 5
Red Hat Enterprise Virtualization Hypervisor (RHEV-H) 6
One or more hosts configured to use fence_ipmilan as the fence agent
- The fence device is configured with a user having a privilege level other than ADMIN

Issue

The fence_ipmilan man page indicates how to do this when running the fence agent manually (using the -L command line option), but does not explain the parameter name to include in the cluster.conf fence device definition.

Fencing using fence_ipmilan fails with the following error:

  Jun 18 09:58:21 node1 fenced[68777]: fence node2 dev 0.0 agent fence_ipmilan result: error from agent

But manual fencing using the following command works:

  fence_ipmilan -L operator -a "172.20.128.54" -l "rhcluster" -P -S "/usr/local/bin/hide_fence_passwd.sh" -o reboot -t 10 -T 4 -v

The tool fence_ipmilan has no privilege level switch and the iLO user in fence_ilo has only "Virtual Power and Reset" privileges. Is there a workaround for this?
Unable to set iLO3 privilige level with fence_ipmilan.
Fencing is not working on Redhat two node cluster for the server which is having HP ILO 4:

[root@node1 ~]#  fence_ilo4 -a X.X.X.X -P -l user -p xxxxxx -o status
Getting status of IPMI:X.X.X.X...Chassis power = Unknown
Failed

Resolution

First, ensure the necessary package releases have been installed:

RHEL 5

Update cman to 2.0.115-96.el5 or later
For the ability to set the Privilege Level setting via Conga, update luci and ricci to release 0.12.2-51.el5 or later

RHEV-H 5

Update fence-agents to fence-agents-3.0.17-15.el5 or later

RHEL 6 or RHEV-H 6

Update fence-agents to release 3.1.5-10.el6 or later
For the ability to set the Privilege Level setting via Conga, update luci to release 0.26.0-37.el6 or later

Next, configure the fence device with the correct privilege level setting:

Using fence_ipmilan from the Command Line

Add the -L option with the appropriate privilege level for the configured user:

  # fence_ipmilan -a 192.168.2.10 -l myUser -p password -P -o status -L USER

Configuring the fencedevice by editing /etc/cluster/cluster.conf

Add the privlvl attribute with the appropriate privilege level for the configured user:

  <fencedevice ipaddr="192.168.2.10" username="myUser" password="password" lanplus="1" privlvl="USER"/>

Configuring the device via Conga

Navigate to the configuration page for the fence device, and select the appropriate level from the Privilege Level drop down

Root Cause

When interacting with a system management controller via IPMI over LAN, the ipmitool offers a privilege level option (-L) allowing the user to specify the level of the user. A similar option now exists in cman (RHEL 5), fence-agents (RHEL 6), and Conga (RHEL 5 and 6) allowing a cluster administrator to configure fence devices for nodes that utilize this privilege level option. In some cases this may enhance security by not requiring the user to have more privileges than absolutely necessary over the system in question, and in those cases where different privilege levels are required, the fence agent may not work without being able to call ipmitool with -L.
The -L / privlvl option for fence_ipmilan was added to RHEL 5's cman in Bugzilla #726731 and to RHEL 6's fence-agents in Bugzilla #726571. Support for configuring this setting via Conga was added to RHEL 5's luci and ricci via Bugzilla #751359, and to RHEL 6's luci via Bugzilla #821928.
The available privilege levels are CALLBACK, USER, OPERATOR, and ADMINISTRATOR.

Diagnostic Steps

Attempt to communicate with the fence device using fence_ipmilan without using -L:
```
  # fence_ipmilan -a 192.168.2.10 -l myUser -p password -P -o status 
```
Once this fails, try again (on the appropriate version of cman or fence-agents from the Resolution above) using the appropriate privilege level:
```
  # fence_ipmilan -a 192.168.2.10 -l myUser -p password -P -o status -L USER
```
If confirmation is needed before updating the cman or fence-agents package, try calling ipmitool directly using -L:
```
  # ipmitool -L user -H 192.168.2.10 -I lanplus -U myUser -P password chassis power status -v
```

SBR

Clusterha

Product(s)

Red Hat Enterprise Linux

Components

cman

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.