AMT and FreeBSD scripts

AMT and FreeBSD scripts

We have two problems with Intel AMT and FreeBSD.

First:

On AMT version:  8.1.20-build 1336 AMT stop responding about five minutes after booting FreeBSD, it's FreeBSD 9.1-STABLE, 64 bit.

On Linux AMT works fine. We suspect driver, but it's similar like on Linux.

Second:

We have shell scripts to manage computers, on version 5 (older computers) we can sending command like:

curl -m 3 --anyauth -u user:password -d amt_html_rc_radio_group=2 -d amt_html_rc_boot_special=13 http://ip:16992/remoteForm

to power on and normal boot.

But on version 8 scripts stop working, forms are the same. Is there any changes?

Can I send SOAP xml file with curl?

Can you show us the way to resolve problems?

19 Beiträge / 0 neu
Letzter Beitrag
Nähere Informationen zur Compiler-Optimierung finden Sie in unserem Optimierungshinweis.

The AMT software (HECI driver/LMS service) is not validated for use with FreeBSD (currently it is only validated for RedHat and Suse.) Many people use Ubuntu, however and have not reported this issue.

I'm not familiar with how your curl scripts work.  If your scrips are based on the old SOAP interface (still available with AMT 5 and older) and you are trying to get them to work on newer AMT versions (that are based on the WSMAN interface)  that might be why they don't work. If this is a SOAP / WSMAN issue, then you would need to write new scripts that use WSMAN. Here is a link to the SDK.

Follow me on Twitter: @GaelHof
Facebook: https://www.facebook.com/GaelHof

Please to pay attention to curl:

curl -m 3 --anyauth -u user:password -d amt_html_rc_radio_group=2 -d amt_html_rc_boot_special=13 http://ip:16992/remoteForm

It's only send POST form into computer, like click on submit with options on radio group.

I don't use SOAP / WSMAN, I only simulating user on web site.

On v5 form is:

<FORM NAME=remoteForm METHOD="POST" ACTION="/remoteform">
<table class="log" cellpadding=0 cellspacing=0 width=500>
<tr>
    <td class="nw" width="50%">
    <td class="ne">
<tr>
  <td class="r1"><p>Power state: Off
  <td class="r1">&nbsp;
<tr><td>
<tr>
<td valign=top><p>Send a command to this computer:
<td>
<tr valign=top><td>
<p class="in"><INPUT TYPE=RADIO CHECKED NAME=amt_html_rc_radio_group VALUE=2 ONCLICK=bootSpecial() >Turn power on<br>
<br>
<td valign=top>
<p>Select a boot option:
<SELECT NAME=amt_html_rc_boot_special SIZE="4">
<OPTION value=1 SELECTED>Normal boot
<OPTION value=6 >Boot from local CD/DVD drive
<OPTION value=3 >Boot from local hard drive
</SELECT>
<td>
<tr valign=top><td colspan=2>
<p class="in">*<b>Caution: </b>These commands may cause user application data loss.<br>&nbsp;
<tr><td class="r1" colspan="2">&nbsp;
<tr>
<td><h2><input type=button value="Send Command" onclick="javascript:confirm_com()">
</h2>
<td>

<tr>
    <td class="sw">
    <td class="se">
</table>
</FORM>

On v8 there is one hidden input type:

<FORM NAME="remoteForm" METHOD=POST ACTION="/remoteform">
<INPUT TYPE=hidden NAME="t" value="YGepoxwcAAABAAAAAAAAAAAAAAAAAP//CpKSA5IDTyC+OX1RnnHBgySl3+bQhK18qBDNtoJk+57q/9Q6elKkAsS6IWk=">
<table class="log" cellpadding=0 cellspacing=0 width=500>
<tr>
<td class="nw" width="50%"></td>
<td class="ne"></td>
</tr>
<tr>
<td class="r1"><p>Power state: Off</p></td>
<td class="r1">&nbsp;</td>
</tr>
<tr><td></td></tr>
<tr>
<td valign=top><p>Send a command to this computer:</p>
<td></td>
</tr>
<tr valign=top>
<td>
<p class="in">
<INPUT TYPE=RADIO CHECKED NAME="amt_html_rc_radio_group" VALUE="2" ONCLICK="bootSpecial()" >Turn power on<br>
<br></p>
</td>
<td valign=top>
                                <p>Select a boot option:
                                <SELECT NAME="amt_html_rc_boot_special" SIZE=4>
<OPTION value="1" SELECTED>Normal boot
<OPTION value="6" >Boot from local CD/DVD drive
<OPTION value="3" >Boot from local hard drive
                                </SELECT>
                                </p>
</td>
<td></td>
</tr>
<tr valign=top>
<td colspan=2>
<p class="in">*<b>Caution: </b>These commands may cause user application data loss.<br>&nbsp;</p>
</td>
<tr><td class="r1" colspan=2>&nbsp;</td></tr>
<tr>
<td><h2><input type=button value="Send Command" onclick="javascript:confirm_com()"></h2></td>
<td></td>
</tr>
<tr>
<td class="sw"></td>
<td class="se">
</tr>
</table>
</FORM>

Can you be more specific?  What error are are you seeing?  At what point does it fail?  If you are working in a Windows environment there might be an "integrated Windows Authentication (IWA) that you need to have enabled in order to access the webui.  What browser are you using?  

Follow me on Twitter: @GaelHof
Facebook: https://www.facebook.com/GaelHof

Ok.
On browser I can log in website: http://IP:16992/ and I can click Remote Control, mark Turn power on with selection Normal boot, click Send Command and click OK.
It works good, but in only one lab we have 10 computers, so I have script like:
for ip in range(my_lab):
     curl -m 3 --anyauth -u user:password -d amt_html_rc_radio_group=2 -d amt_html_rc_boot_special=1 http://ip:16992/remoteform
I can turn on many computers with one operation.
How it works:
curl simulate web browser and sends -d amt_html_rc_radio_group=2 -d amt_html_rc_boot_special=1 to http://ip:16992/remoteform
In html form is:
<FORM NAME=remoteForm METHOD="POST" ACTION="/remoteform">
<...>
<p class="in"><INPUT TYPE=RADIO CHECKED NAME=amt_html_rc_radio_group VALUE=2 ONCLICK=bootSpecial() >Turn power on<br>
<...>
<p>Select a boot option:
<SELECT NAME=amt_html_rc_boot_special SIZE="4">
<OPTION value=1 SELECTED>Normal boot
<OPTION value=6 >Boot from local CD/DVD drive
<OPTION value=3 >Boot from local hard drive

I can send for example: -d amt_html_rc_radio_group=2 -d amt_html_rc_boot_special=6 to boot from CD,
In this method I can read status with grep, sed, cut etc.

Everything work fine in AMT v5, on v8 I found added input:

<INPUT TYPE=hidden NAME="t" value="YGepoxwcAAABAAAAAAAAAAAAAAAAAP//CpKSA5IDTyC+OX1RnnHBgySl3+bQhK18qBDNtoJk+57q/9Q6elKkAsS6IWk=">

value likes random, what is it?

I don't use browser in script, it not relevant, I use FreeBSD, but scripts are universal, it's bash, you can use it on Linux, Solaris etc.

Error... I don't have error. after send command with curl computer with v5 turned on, with v8 doesn't.

Sorry about the huge delay - I have been trying to track down someone who might know what your issue is. Meanwhile I have been looking into the "input type=hidden" . This is basically a hiddent variable with some value.  (What it is all about is what I'm trying to find out for you.)  So here are some more questions:

Are the AMT 5 systems configured they same way as the AMT 8 systems?  Are they all either TSL or non-TLS?  I"m assuming they are all non TLS since you referenced "http" above.

Which browser are you using to access the WebUI information?  (and version of HTML?) (you say that curl emulates a browswer)

From the documentation:

Other browsers may be used; however, they may not be supported by Intel AMT-enabled systems. The webbrowser will establish a TCP connection to the Intel AMT platform and access the top-level Intel AMT Configuration web page. To view this information, you will be prompted to authenticate by logging in with a user that was defined in the Intel AMT ACL:

  • If the Intel AMT device is in SMB Mode, you should use the default “admin” with the MEBx password (which is also the current network password).
  • If the Intel AMT device is in Enterprise Mode, you should use a user that was defined during the provisioning process, or the default admin with the current network password (which may vary from the MEBx password).

Can you interact with your AMT 8 systems at all using your curl scripts?  Or is it just the Remote Power On that is not working?

On your AMT 8 systems - do you have the appropriate power package set in the ME (that the ME is on if the system is turned off?)  

On your AMT 8 systems - how are they on the network? Wired?  Wireless? (if wireless is the wireless profile entered into the ME?  And it has to be encrypted with a strong password)

Have you checked the event log to see if it reports a particular error?

Remember that AMT 5 is based on SOAP calls and AMT 8 is based on a WS-MAN interface.  I don't know what your your scripts are doing in the background as far as making calls (maybe they are just interacting with the web service) so I don't know if that's an issue or not.  

Follow me on Twitter: @GaelHof
Facebook: https://www.facebook.com/GaelHof

I want to focus on stopping responding of AMT when we using FreeBSD.

From observation:

   volt% amttool-tng k5 rem_control info
   ## 'k5' :: AMT Remote Control
   FAULT: 500 Can't connect to k5:16992 (Invalid argument)
   (1)
 
   k5% sudo ifconfig em0
   em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
           options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
           ether e8:40:f2:ec:60:5e
           inet 10.146.103.5 netmask 255.255.0.0 broadcast 10.146.255.255
           media: Ethernet autoselect (1000baseT <full-duplex>)
           status: active
   k5% sudo ifconfig em0 -tso4

Doesn't work immediately, but AMT starts to work.

   volt% amttool-tng k5 rem_control info
   ## 'k5' :: AMT Remote Control

   FAULT: 500 Can't connect to k5:16992 (Invalid argument)
   (1)
   
   volt% amttool-tng k5 rem_control info
   ## 'k5' :: AMT Remote Control
   # Remote Control Info :: AMT Remote Control
     Powerstate:           S0
     Watchdog Expired:     No
     Power Source:         AC
     Remote Control Capabilities:
       Control Commands Supported  powerCycle powerDown powerUp reset
       IanaOemNumber               343
       Special Commands Supported  PXE-boot HD-boot CD-boot
       Special Commands (Oem)      IDER SOL BiosReflash BiosSetup BiosPause
       SystemFirmwareCapabilities  LockKeyboard UserPasswordBypass ForcedProgressEvents VerbosityVerbose VerbosityQuiet VerbosityScreenBlank

Is it normal?

When KVM sesion is open network card works only on 10baseT standard. You cannot change speed:

  k8% # ifconfig em0 media 1000baseT &
  k8% # lo kernel -2
  May 25 01:01:14 k8 kernel: em0: Media change is blocked due to SOL/IDER session.
  May 25 01:02:16 k8 kernel: em0: Media change is blocked due to SOL/IDER session.
 
After closig KVM connection with VNC Viewer:

  k8% # ifconfig em0 media 1000baseT
  k8% ifconfig em0
  em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
        inet 10.146.103.8 netmask 255.255.0.0 broadcast 10.146.255.255
        media: Ethernet 1000baseT (1000baseT <full-duplex>)
        status: active
        
And very important: after speed change AMT works fine.

Any kind of reset network card makes AMT good, for example:

ifconfig em0 -txcsum

I just got the following information for you regarding the Hidden Field:

It is a Synchronizer Token. So this indeed means that your previous approach won't work with AMT 8.

A possible solution to this problem would be to first make a cURL request to the page containing the form in order retrieve the form's HTML code. Then, parse it and extract the token. Finally, the token should be supplied as part of the input for the POST request.

Follow me on Twitter: @GaelHof
Facebook: https://www.facebook.com/GaelHof

Regarding the issue of AMT/network issues - I am still investigating that.

Follow me on Twitter: @GaelHof
Facebook: https://www.facebook.com/GaelHof

On the connection errors, are these  your AMT 8.x systems, or both 8 and 5?  Since it works after you reset the system I am wondering if there is something flakey going on in your firmware.  Sometimes we can correct these problems in two ways:

1.  CMOS reset (shut down, unplug system and pull the cmos battery) let it sit for 40 seconds, put the battery back in and power back up.  If these are notebooks, there may be a way to reset AMT from the bios - turn AMT off in the bios, reboot and then turn it back on.  

1.  Reflash your firmware.  Can you find a newer version of the firmware from your OEM's support site?  I would get the latest version available and upgrade.  It could be that your version of the FW may have an issue that is causing the strange behavior.

When you lose connectivity, can you check your DHCP server to make sure your ME is still sharing the IP address with the Host OS?  I have seen a problem on one of my systems where, if the DNS server switches to a different one, the ME seems to get confused (I have not dug very deep into what is happening on my system, but it only happens on our corporate network and this particular system is running the 8.0 version of the FW as well.)  

Follow me on Twitter: @GaelHof
Facebook: https://www.facebook.com/GaelHof

On your question:

When KVM sesion is open network card works only on 10baseT standard. You cannot change speed:

  k8% # ifconfig em0 media 1000baseT &
  k8% # lo kernel -2
  May 25 01:01:14 k8 kernel: em0: Media change is blocked due to SOL/IDER session.
  May 25 01:02:16 k8 kernel: em0: Media change is blocked due to SOL/IDER session.

This is by design and is true for SOL/IDER as well.  They only work for 10 Mb speeds.

Follow me on Twitter: @GaelHof
Facebook: https://www.facebook.com/GaelHof

Thank you for response.

> On the connection errors, are these  your AMT 8.x systems, or both 8 and 5?

Only on AMT 8.x, exactly: 8.1.20

I'll try do restart CMOS,

Motherboard: Intel DQ77KB, the latest BIOS & AMT fw.
both ethernet interfaces connected,
DHCP configured only the the first  (managment) or only the second - the same result:
after appr. 5 min ? AMT can't be accesed.
(Same result on a few such a PCs which we have about ten in lab)

When AMT doesn't respond I can work on network witch the same interface. I can't connect to port 16992 and VNC only.

I want to focus on tso:

   k5% sudo ifconfig em0 -tso4

when I switch off tso off AMT starts to work. On default debian wheezy tso is off, so AMT doesn't stop working. When I switched on tso AMT stopped...

Please tell me how to upgrade bios on fifty computers. I have Linux and Windows too, but i don't want to use F7 or USB.

I have the second question. How quick check machine status, power on and power off machine from PowerShell or shel (Linux)?

Your OEM should have the latest FW plus tools and instructions on how to do it (they all do this differently)  Some require a dos boot disk while others will have an exe that you run.  I would apply the new bios to just a few systems to see if there were any benefits by upgrading.  If the newer BIOS fixes things then I would apply it to all your systems.

If the bios is in the form of an exe you could probably push it over to the systems and have it execute at startup.  Not sure how to automate nicely if it requires a dos bootable USB stick.

Follow me on Twitter: @GaelHof
Facebook: https://www.facebook.com/GaelHof

OEM is Intel ;) we just bought DQ77KB mainboards and make PC ourselves.
BIOS/AMT is the latest 51 version.

How on Linux (suported Redhat/SUSE) on/off/reset AMT from *COMMAND LINE* not web interface
I want to do it massively on ~50 computers onetime.
Is thre some sheel/perl/anything comman-tool in SDK or enywhere else ?
Public domain amttool is not working stable.

I am going to contact our linux folks.  Sorry this is taking so long to answer.

The following website has the FW/BIOs for "independent OS".  https://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=22648&Pr...

The only tools I see are runable from DOS or from Windows.  You can automate this in a Windows environment but I'm not seeing any tools or scripts that have been written for linux.

Follow me on Twitter: @GaelHof
Facebook: https://www.facebook.com/GaelHof

Today I've observed strange situation. When operating system and machine is down, and I switch Obtail IP settings automatically AMT send DHCP Request and remember last operating system! It's log from DHCP Server:

Jul 22 22:49:09 volt dhcpd: PACKET from legacy PXE: ether: e8:40:f2:ec:58:37 Linux ipconfig
Jul 22 22:49:09 volt dhcpd: DHCPREQUEST for 10.146.103.4 (10.146.146.3) from e8:40:f2:ec:58:37 via bge0
Jul 22 22:49:09 volt dhcpd: DHCPACK on 10.146.103.4 to e8:40:f2:ec:58:37 via bge0

This is not package prom PXE, It's from AMT! Machine is power off.

Is it normal?

It seems like this thread is dead. :(

I'm hoping that at some point FreeBSD has great support for Intel AMT and the other embedded remote management tools out there.

At least it's nice to have a post with *some* of the details some of us users might be looking for. This most be the only place where the Synchronizing Token and the mandatory 10/Mbit SOL and iKVM speed is documented.

Kamil C. I wish you luck in your endeavors.

There is a way to work around the 10mb rule when doing an IDER session. (AMT always caps link speed at start up at 10mb and then never re-negotiates.   You can do a 2-stage boot with IDER that will will speed things up quite a bit. The two-stage boot usage uses a 2-stage boot iso, which boots the ISO (6mb) on the IDER channel, but then uses the ethernet channel to boot a selected ISO.

There is a demo of this process here: https://intelsalesadvisor.com/asset/686.html    (you have to create a login to get to it.)

You can find instructions and download the builder that will customize the stage 1 linux image for your environment here: https://communities.intel.com/community/vproexpert/blog/2010/10/26/new-reference-design-2-stage-boot-faster-remote-booting

Here is the ISO: https://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=20960&lang=eng&OSVersion=&DownloadType=

 

Follow me on Twitter: @GaelHof
Facebook: https://www.facebook.com/GaelHof

Kommentar hinterlassen

Bitte anmelden, um einen Kommentar hinzuzufügen. Sie sind noch nicht Mitglied? Jetzt teilnehmen