Datacenter Bmc¶
15 cards — 🟢 4 easy | 🟡 7 medium | 🔴 4 hard
🟢 Easy (4)¶
1. What is a BMC and why is it always powered on?
Show answer
A BMC (Baseboard Management Controller) is an independent embedded computer within a server with its own CPU (ARM), RAM, NIC, and flash storage. It runs on standby power, so it is always active as long as the server has AC power -- even when the main system is completely off. It provides out-of-band management including remote console, power control, and hardware monitoring.2. What are the vendor-specific names for BMC products, and what protocol do they all share?
Show answer
Dell calls theirs iDRAC, HP/HPE uses iLO, Supermicro uses a generic IPMI BMC, and Lenovo uses XClarity/IMM. All of them speak the IPMI protocol, so ipmitool works with all vendors. Vendor UIs add proprietary features on top of the IPMI common denominator.3. What ipmitool commands control server power, and what is the correct order for an unresponsive server?
Show answer
Key commands: power status, power soft (ACPI graceful), power off (hard), power on, power cycle, power reset. For an unresponsive server: try "power soft" first, wait 60 seconds, check SOL for shutdown progress, then escalate to "power cycle" only after confirming the OS is truly hung.4. How does Redfish differ from IPMI for server management?
Show answer
Redfish uses HTTPS with JSON payloads over TCP 443, replacing IPMI's binary protocol over UDP 623. It provides TLS encryption, token-based session auth (no RAKP hash leak), a richer data model covering storage/BIOS/NICs/firmware, and is scriptable with any HTTP client (curl, Python, Ansible).🟡 Medium (7)¶
1. What is the difference between IPMI 1.5 (lan) and IPMI 2.0 (lanplus) transport?
Show answer
IPMI 1.5 uses RMCP with weak MD5 authentication and no encryption. IPMI 2.0 (lanplus) uses RMCP+ with RAKP key exchange, AES-128-CBC encryption, and HMAC-SHA integrity. Always use "ipmitool -I lanplus" for remote operations. Both use UDP port 623.2. What is Serial-over-LAN (SOL) and when would you use it?
Show answer
SOL redirects the server's serial console through the BMC to your terminal over the network. Use it to see boot output (POST, GRUB, kernel messages), diagnose kernel panics, and interact with the system when the OS network stack is down. Connect with "ipmitool -I lanplus -H3. What is the System Event Log (SEL) and why must you export it regularly?
Show answer
The SEL is a circular buffer in the BMC's non-volatile storage that records hardware events: temperature threshold crossings, fan failures, PSU faults, ECC errors, and boot events. It is small (typically 512-2048 entries). When full, events are either dropped or overwritten. Export with "ipmitool sel elist" and clear with "ipmitool sel clear" to free space.4. What are the six IPMI sensor threshold levels, and what happens when a reading crosses one?
Show answer
From lowest to highest: Lower Non-Recoverable (LNR), Lower Critical (LC), Lower Non-Critical (LNC), Upper Non-Critical (UNC), Upper Critical (UC), Upper Non-Recoverable (UNR). When a reading crosses a threshold, the BMC logs an event to the SEL and can send an SNMP trap or PET alert. View thresholds with "ipmitool sensor get5. How do you configure the BMC network settings using ipmitool?
Show answer
Use "ipmitool lan print 1" to view current settings. Set static IP with: "ipmitool lan set 1 ipsrc static", then set ipaddr, netmask, and defgw ipaddr. For DHCP: "ipmitool lan set 1 ipsrc dhcp". Set management VLAN with "ipmitool lan set 1 vlan id 100". These commands work both in-band (local) and over-LAN (remote).6. When should you perform a BMC cold reset and what does it do?
Show answer
ipmitool mc reset cold restarts the BMC firmware without affecting the host OS. Use it when the BMC web UI is unresponsive, sensor readings are stale, or SOL sessions won't connect. If the BMC is completely unresponsive to IPMI, a cold reset won't help -- you need an AC power cycle (pull power cables, wait 30 seconds).7. How does Redfish eventing replace IPMI's SNMP traps?
Show answer
Redfish supports push-based eventing via Server-Sent Events (SSE) streams or webhook subscriptions. Create a subscription by POSTing to /redfish/v1/EventService/Subscriptions with a destination URL, protocol, and event types. This integrates directly with modern alerting stacks like Alertmanager, replacing IPMI's SNMP trap / PET alert mechanism.🔴 Hard (4)¶
1. What is the IPMI RAKP authentication vulnerability (CVE-2013-4786) and why can't it be patched?
Show answer
During IPMI 2.0's RAKP handshake, the BMC returns a salted HMAC of the password to any unauthenticated client who sends a session request. An attacker can capture this hash and crack it offline (Hashcat mode 7300). This is a protocol design flaw, not an implementation bug, so it cannot be patched. The only mitigation is isolating BMC traffic on a dedicated management VLAN.2. What is IPMI cipher suite 0 and why is it dangerous?
Show answer
Cipher suite 0 means no authentication at all. Some BMCs accept it by default, allowing anyone on the network to execute IPMI commands without credentials. Test with "ipmitool -I lanplus -H3. How do you mount a remote ISO via the Redfish API for OS provisioning?
Show answer
POST to the VirtualMedia InsertMedia action endpoint with the image URL: curl -sk -u admin:pass -X POST https://4. How do you read and limit server power consumption using IPMI DCMI commands?