Thursday, October 24, 2013

Fun with iDRAC

Feb 26th 2015: UPDATE: https://github.com/PaulMaddox/drac-kvm has all you need!

So I was busy over at the DellXL conference for the last few days with our new friends at GWU HPC. We were all chatting about the issues with iDRAC and access to console in a true "DevOps" way. i.e. via scripts and automation and no sad pointy clicky webby nonsense. We all agreed that the current, load OBM website, click "launch console", download java jnlp file was not in any way optimal.

After a fair amount of bitching and moaning, I took to PHP and CURL during the meeting to attempt to write a script to automate things... Have to admit - it's the first PHP I've written in years - it was fun. We have 1000's of machines that are using iDRAC for access to KVM so fixing this was important as my boys and girls complain about it on a pretty much daily basis. When ever we need access to KVM it is normally because some epic system crash has happened and we are all pretty stressed and animated, the last thing we need is foophy website / java nonsense to deal with!

For the TL;DR crowd, I totally invented the wrong wheel! The boys and girls at GWU had a *much* better idea... but more about that later!

Ok so here's the script I knocked up:
[James-Cuffs-MacBook-Pro]$ cat RemoteConsole.php 
$u              = "root";
$p              = "calvin";

$host           = $argv[1];
$ha             = explode('.',$host);
$loginUrl       = "https://$host/data/login";
$logoutUrl      = "https://$host/data/logout";
$consoleUrl     = "https://$host/viewer.jnlp($host@0@$ha[0],+Dell+RemoteConsole,+User+root";
$ustring        = "user=".$u."&password=$p";

$ch = curl_init();

curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt ($ch, CURLOPT_URL, $loginUrl);
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_POSTFIELDS, $ustring);
curl_setopt ($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);

$store           = curl_exec ($ch);
$xml             = simplexml_load_string($store);
$forwardUrl      = $xml->forwardUrl;
list($junk, $ST) = split('\?',$forwardUrl);
$index           = "https://$host/$forwardUrl";
curl_setopt($ch, CURLOPT_URL, $index);

$content         = curl_exec ($ch);
$mili            = round(microtime(true)*1000);
$consoleUrl      = "$consoleUrl@$mili@$ST)";

curl_setopt($ch, CURLOPT_URL, $consoleUrl);

$content         = curl_exec ($ch);
file_put_contents('console.jnlp', $content);
system("open console.jnlp");
sleep(20);

curl_setopt($ch, CURLOPT_URL, $logoutUrl);
$content         = curl_exec ($ch);
curl_close ($ch); 

I was *extremely* excited about this, and demoed it to the whole group at DellXL, folks were suitably impressed, until Tim Wickberg at GWU said - "oh you don't need to do any of that at all!". I was slightly taken aback, but listened on as he explained how you need to simply do one thing to make all of this php obsolete...

Turns out that while the careful use of this millisecond time generation for the URL is important, you really don't need it at all. All that scripting above (while an interesting and fun study, is mostly useless.
$mili            = round(microtime(true)*1000);
$consoleUrl      = "$consoleUrl@$mili@$ST)";

All I actually needed to do was edit those darn .jnlp files:
[James-Cuffs-MacBook-Pro]$ egrep "user|pass" console.jnlp 
   user=2114738097
   passwd=2007905771

And replace those "one time" numeric integer password/username combinations! You only need to hard code those to be root/calvin!! Doh! Now you can quickly edit the .jnlp to swap the hostname, and username/pw combination and you are golden.
[James-Cuffs-MacBook-Pro]$ egrep "user|pass" console.jnlp 
   user=root
   passwd=calvin

You have an eternally working file to always launch access to any OBM/iDRAC in your environment - so simple.

Well done team GWU - this discovery is pretty awesome and will help us script remote console/kvm access to 1000's of machines over in western mass! Many thanks!

p.s. disclaimer - please don't put your iDRAC systems on a network that folks outside of your admin team can access, or your machines will no longer belong to you. We have ours on a "dark network", that only admin staff in RC can access with 2fA via a special VPN network that only has access to the OBM and admin portions of the network! This is why we can use root/calvin with abandon!


[any opinions here are all mine, and have absolutely nothing to do with my employer]
(c) 2011 James Cuff