Overview

There are still old HP Generation 5 (G5) servers around. Unfortunately they are not supported with RHEL 7 anymore. They need some tweeking to run, which i discuss in a second post,  and they do have some issues with ILO2 connectivity, which is discussed here.

I describe what i did to connect to the ilo2 boards via ssh and via Ansible. This includes changes to the Ansible configuration to reflect ILO2 specialities.

ILO2 conectivety

I have HP ILO2 boards in my servers.
As they are quite old normal “ssh” provided from RHEL 7 (or Fedora 22 / 23) does not work out and gets a “peer disconnected” answer.

Main problem seems to be that during negotiation of ciphers some packages extend the packet size which the ssh server of the ILO can cope with. The server therefor disconnects.

Preparation

I’ve created a 1024 bit rsa key pair, saved in id_rsa and id_rsa1024.pub.  You need to have “Administrator” in the third field of the public key. ILO uses this during upload to link the key to the user “Administrator”.

connection via ssh

I found the following cmd-line to work:

ssh -i .ssh/id_rsa1024 -o HostKeyAlgorithms=ssh-rsa,ssh-dss -o KexAlgorithms=diffie-hellman-group1-sha1 -o Ciphers=aes128-cbc,3des-cbc -o MACs=hmac-md5,hmac-sha1 Administrator@1.2.3.4

This knowledge enables me o switch machines on and off via cmd-line on my jump-host as follows:
view power state:

ssh -i .ssh/id_rsa1024 -o HostKeyAlgorithms=ssh-rsa,ssh-dss -o KexAlgorithms=diffie-hellman-group1-sha1 -o Ciphers=aes128-cbc,3des-cbc -o MACs=hmac-md5,hmac-sha1 Administrator@1.2.3.4 power

switch power on:

ssh -i .ssh/id_rsa1024 -o HostKeyAlgorithms=ssh-rsa,ssh-dss -o KexAlgorithms=diffie-hellman-group1-sha1 -o Ciphers=aes128-cbc,3des-cbc -o MACs=hmac-md5,hmac-sha1 Administrator@1.2.3.4 "power on"

Ansible

As i’m using Ansible to connect to my machines i also wanted to use Ansible to connect to ilo2. This would give me very easy handling and grouping of machines and would also allow me the same approaches no matter whether this is an task on the ilo2 (like power on) or a task on the server itself (like shut down).

raw module

Ansible normally copies the commands as to the target system (via sftp or scp) and will run this copied script on the remote host. As this does not work for most appliance like systems (switches / routers / ILOs)  we need to use the “raw” module.

ssh-options with Ansible 2.0 and above

For each server i’ve added two host-entries in my ansible inventory file. One entry for the server itself and the second entry connects to the corresponding ilo . All ilo-entries are grouped together in the “ilo” group. This fact makes the following yaml-file inside ./group_vars/ilo work for all ilo-connections.

I created:

./group_vars/ilo/connect_settings
ansible_connection: ssh
ansible_ssh_common_args: -o HostKeyAlgorithms=ssh-rsa,ssh-dss -o KexAlgorithms=diffie-hellman-group1-sha1 -o Ciphers=aes128-cbc,3des-cbc -o MACs=hmac-md5,hmac-sha1
ansible_ssh_private_key_file: ~/.ssh/id_rsa1024 
ansible_user: Administrator
ansible_ssh_user: Administrator

 

ssh-options with Ansible 1.9 (prior to 2.0)

As i started with Ansible 1.9, which ignores some config directives (e.g. ansible_ssh_common_args) you find the 1.9 workaround here as well:

You define the ssh connection settings in the configuration file of ssh and tell ansible to evaluate this:

/etc/ansible/ansible.cfg
Added following line to the file:
[ssh_connection]
# Do 14. Apr 17:03:08 CEST 2016, mschreie@redhat.com
ssh_args = -F /root/.ssh/config

created

/root/.ssh/config

# all servers should be found here
Host 172.16.20.*
 GSSAPIAuthentication yes
 ForwardX11Trusted yes
 ForwardX11 yes

# all ILOs should be found here
Host 172.16.10.*
 GSSAPIAuthentication no
 ForwardX11Trusted no
 ForwardX11 no
 MACs hmac-md5,hmac-sha1
 HostKeyAlgorithms ssh-rsa,ssh-dss
 KexAlgorithms diffie-hellman-group1-sha1
 Ciphers aes128-cbc,3des-cbc

Host rhev??-ilo
 GSSAPIAuthentication no
 ForwardX11Trusted no
 ForwardX11 no
 MACs hmac-md5,hmac-sha1
 HostKeyAlgorithms ssh-rsa,ssh-dss
 KexAlgorithms diffie-hellman-group1-sha1
 Ciphers aes128-cbc,3des-cbc

Host gluster??-ilo
 GSSAPIAuthentication no
 ForwardX11Trusted no
 ForwardX11 no
 MACs hmac-md5,hmac-sha1
 HostKeyAlgorithms ssh-rsa,ssh-dss
 KexAlgorithms diffie-hellman-group1-sha1
 Ciphers aes128-cbc,3des-cbc

 

Conclusion

Using the “raw” module of ansible and restricting ssh just to use certain ciphers enables me to now  run ad-hoc commands to power on or off my machines,  like this:

[root@jump ~]# ansible ilo -m raw -a power

[root@jump ~]# ansible ilo -m raw -a "power on"

[root@jump ~]# ansible ilo -m raw -a "power off"