bool_install_nic on line 99 should be boot_install_nic, matching
the variable used everywhere else in the script. This caused the
SETINSTALLNIC environment variable to have no effect.
Fixes: xcat2/xcat-core#7472
On RHEL 9.x minimal installs, the yum package may not exist as a
separate RPM — only dnf is present with /usr/bin/yum as a symlink.
The previous detection using rpm -q yum would fail, causing hasyum
to remain 0 and skipping repo file creation entirely.
Replace rpm -q based detection with executable checks for /usr/bin/dnf
and /usr/bin/yum. Introduce yumcmd variable to carry the actual command
name through all package operations instead of hardcoding yum.
Fixes: xcat2/xcat-core#7497
bmcsetup iterated every user slot and retried ipmitool user disable for slots that were already disabled. Lenovo XCC reports those attempts as Invalid data field in request, so discovery can spend minutes retrying no-op disables.
Read the current user table once per BMC, keep the old fallback when the table cannot be read, and disable only non-target slots whose IPMI Msg flag is true. Also use the loop's current username when resolving the target slot and keep the intended userslot 2 fallback assignment.
Fixesxcat2/xcat-core#5065
OpenBMC BMCs intermittently return 503 Service Unavailable when the
REST service is busy or recovering. xCAT reported the error immediately,
requiring the user to manually retry. A second attempt usually succeeds.
Retry the same request up to 3 times with a 3-second wait on 503.
If all retries fail, report the error as before. The existing 504
handling for bmcreboot is preserved.
Ref: #4264
The xCAT-server build-readme script runs every tool in share/xcat/tools/
with --help during RPM packaging. At build time perl-xCAT is not installed,
so the compile-time 'use xCAT::DHCP::Backend' aborts before --help can run.
Switch to runtime require inside the remove-operation branch where the
module is actually needed.
Extend the existing sha256-to-sha1 fallback (already present in
got_rmcp_response for Open Session errors) to also cover RAKP2
rejections with "Unauthorized name" (0x0d) or "Invalid role" (0x09).
Ref: #7511
Set bit 4 (0x10) of the requested privilege byte in RAKP Message 1
for name-only user lookup, matching ipmitool behavior. Use the same
value consistently in all HMAC calculations (RAKP2 verification,
RAKP3 auth code, SIK derivation).
Without this, some BMCs fail user lookup with "Unauthorized name"
even though the credentials are correct.
Ref: #7511
OpenBMC-based BMCs return message tag 0 in RAKP2/RAKP4 instead of
echoing the tag from the request. xCAT rejected these as stale
responses and retried indefinitely until timeout.
Accept tag 0 but verify the remote console session ID in the response
matches our current sidm. This prevents stale retries from corrupting
session state while allowing OpenBMC responses through.
Applied to got_rmcp_response, got_rakp2, and got_rakp4.
Ref: #7511
cbc_pad in decrypt mode reads the last byte as the pad count, then
calls splice(@block, 0 - $count). If decrypted data is corrupt, the
pad count can exceed the array size, crashing with "Modification of
non-creatable array value attempted, subscript -16".
Return empty string on invalid padding so the caller treats it as a
decryption failure rather than accepting corrupted data as a valid
IPMI response.
Ref: #7511
The CUDA docs were frozen at CUDA 9.2 / RHEL 7.5 / Ubuntu 14.04 since
2019. Update to cover all currently supported OS and architecture
combinations (EL 7-10, Ubuntu 20.04-24.04, x86_64/ppc64le/sbsa).
Consolidate the version-specific repo and osimage pages into generic
guides that use placeholder variables, reducing 7 files to 2 while
covering more OS versions. Both online (direct NVIDIA repo URL) and
offline (dnf download / apt download mirroring) workflows are
documented.
All NVIDIA repository URLs validated against
developer.download.nvidia.com/compute/cuda/repos/ and confirmed
accessible with valid repodata.
Addresses #7373
Previously, makedhcp warned but still created host entries without
a static IP reservation when a node's address fell inside the
dynamic range. The node would silently get a random IP from the
pool instead of its configured address.
Now errors and skips the node on all four DHCP paths (ISC v4/v6,
Kea v4/v6) with a clear message telling the admin to move the IP
outside the range or adjust the dynamic range.
This makes ISC DHCP and Kea behavior consistent and aligns with
xCAT's design: the dynamic range is for hardware discovery,
known nodes should have static IPs outside it.
Closes#6539
The quiet kernel parameter was hardcoded in anaconda.pm and sles.pm,
making it impossible for admins to get verbose boot output without
editing plugin source code. The existing addkcmdline mechanism
(bootparams and linuximage tables) only appends to the kernel command
line, so there was no way to remove quiet.
Move quiet out of the plugin kcmdline construction and into the
linuximage.addkcmdline default set during copycds osimage creation.
Admins who want verbose boot for debugging can now remove it per
osimage:
chdef -t osimage <image> addkcmdline=""
New osimages get addkcmdline="quiet" by default. Existing osimages
with a custom addkcmdline are not overwritten on re-run of copycds.
Genesis/discovery boot (mknb.pm) is unchanged as it does not use
osimage definitions.
Addresses #6916
Template.pm silently continued rendering kickstart templates when
getipaddr() failed to resolve the master hostname, producing
kickstarts with an empty MASTER_IP. Nodes would install successfully
but fail on first reboot when post.xcat and xcatinstallpost tried
to contact the master, timing out after 90 retries with:
the network between the node and is not ready
Postage.pm (mypostscript generation) already checks for this and
returns a clear error. Apply the same pattern in Template.pm so
nodeset fails immediately with a descriptive message instead of
producing a broken kickstart.
Fixes#7544
The default xCAT Apache configuration shipped with Options Indexes
enabled for the /install and /tftpboot directories. This allowed
unauthenticated users to browse directory listings, disclosing the
full tree of postscripts, boot files, and (in production deployments)
potentially kickstart files with password hashes, custom scripts with
embedded credentials, and cluster topology details.
Replace Options Indexes with -Indexes in all four shipped Apache config
files (MN and SN, Apache 2.2 and 2.4 variants). Direct file access
by known path continues to work, so all provisioning workflows are
unaffected. Directory browsing for /xcat-doc is preserved as it
contains only public documentation.
Additionally, add an Apache hardening guide documenting recommended
permissions for sensitive directories under /install, network binding
best practices, and IP-based access control options.
Addresses #7450
On some BMCs (notably Supermicro), a GET immediately after SET
returns the old value until the BMC applies the change. This made
rspconfig output misleading for network setting operations.
- Store the canonical SET value after normalization and compare
with the GET readback for ip, netmask, gateway, and backupgateway.
When they differ, annotate the output:
"BMC Gateway: 10.20.0.1 (requested 10.20.0.254, not yet reflected)"
- Consolidate ip/netmask/gateway/backupgateway display into one block
- Fix backupgateway SET: was routed through the gateway branch
writing parameter 0x0C instead of 0x0E. Now has its own branch
writing the correct IPMI parameter.
- ip=dhcp is unaffected (separate code path, never stores a value)
Tested on Supermicro IPMI BMC (10.20.0.51).
Fixes#3445
Docker container lifecycle management (mgt=docker, mkdocker, rmdocker,
lsdocker) was added in 2015-2016 as an experiment targeting Docker API
v1.22 on Ubuntu only. Documentation and man pages were deliberately
removed in 2019 (PRs #6222 and #6324) with the original developer's
approval, noting that "the interface of Docker has become very simple
right now, so there is no value for xCAT to offer such functions."
The plugin was still being shipped but has had no functional code changes
since April 2016, was never listed as a valid mgt value in Schema.pm,
and no user ever filed an issue about it.
Removed:
- xCAT-server/lib/xcat/plugins/docker.pm (1,142 lines)
- xCAT/postscripts/setupdockerhost
- xCAT-server/share/xcat/scripts/setup-dockerhost-cert.sh
- xCAT-test/autotest/testcase/dockercommand/ (test cases)
- Docker attribute definitions in Schema.pm
- Client symlinks (mkdocker, rmdocker, lsdocker)
- Usage entries and dockerhost cert handling in credentials.pm
- Docker attribute documentation in man7 pages
The "Running xCAT in Docker" documentation (dockerized_xcat/) is
retained as it documents containerizing xCAT itself, not the removed
mgt=docker feature.
Closes#7518
rspconfig vlan= only accepted values 1-4096 with no way to disable
VLAN tagging. Users had to resort to raw IPMI commands to clear a
stale VLAN after ip=dhcp.
- Accept vlan=off/disable/disabled to clear VLAN tagging via
standard IPMI parameter 0x14 with the enable bit unset
- Fix valid range from 1-4096 to 1-4094 (IEEE 802.1Q)
- Use strict digit matching to reject malformed inputs
To clear VLAN after a DHCP reset: rspconfig <node> vlan=off
Tested on Supermicro IPMI BMC (10.20.0.51).
Partially addresses #3725
Markus Hilger
Vinícius Ferrão
Markus Hilger