Redfish on OpenBMC
ed.tanous at intel.com
Fri Feb 2 04:23:40 AEDT 2018
Answers for the bmcweb implementation inline below.
> - Do you have a redfish server implementation?
> - Is it Open Source?
The folder labeled redfish-core is specific to the redfish portion.
> - What is the license?
> - Is it posted to github or other public source control?
> - Does it pass the DMTF redfish service validator?
It did 3 weeks ago; A minor authentication bug snuck in that causes it to fail on service root, but that bug should be resolved in the next week.
> - What language is it written in?
> - How big is it?
Compiled and stripped size was on the order of 700KB when LTO is enabled, before filesystem compression. This includes more than just the redfish implementation, so I would have to get some specifics on a stripped down redfish-only binary size.
> - Can it be easily extended/re-used by anybody else shipping compliant
> openbmc implementations?
It was intended for use in OpenBmc. There are designs to attempt to make it more generic, but those are not yet upstream. My #1 priority is enabling OpenBmc, #2 is building a generic library that can be used outside of openbmc.
> - Can you add OEM extensions to existing Redfish Resources without
> "forking" the codebase?
Yes, but these extension examples are not open source yet.
> - Can you change the implementation for a single Redfish Resource
> Property without forking?
Nothing in the design precludes it, but it is not yet implemented. The assumption was that data would be backed by dbus to be consistent with the other openbmc interfaces, and any modifications should be done in dbus daemons outside the webserver.
> - Can you add new Redfish Resources without forking?
Not really sure what this question is specifying. Redfish resources are backed by DBus, so yes. With that said, schemas are required to be added in code.
> - Performance
> - How fast is it?
Time to first byte times are constrained by the response times of dbus and openssl as the webserver has yet to implement caching. It seems to be relatively performant, but I haven't measured these recently on an AST2500 system. We likely should normalize these to a single processor to avoid processor specific timing info. My vote would be to measure all against an AST2500, as it seems to be a decent middle of the road example of a system.
> - Does it implement SSL?
Yes, and generates its own self signed certificate and private key on first boot.
> - Security
> - What is the security model?
Authentication is handled by a single middlelayer that filters all requests before executing endpoint specific code. Authentication is backed by pam. Authorization and user roles are yet to be implemented, but I have patches that can be made public if people are interested. I suspect we need to have a greater discussion around authorization for OPenBmc as a whole, and how IPMI and Redfish can share a common model.
> - Non-root support? Can it run as a non-privileged user?
Yes, although the patches to do this are still in review.
> - Does it implement basic authentication and the redfish spec x-auth-
> token authentication?
Yes. As well it also supports cookie authentication (to host the webserver) with CSRF prevention. Currently, both of those are required to be able to host phosphor-webui from the same server.
> - Does it implement the redfish standard privilege map model?
Patches to do this are in (not open source) review. We should have a discussion about how privilege maps should be backed.
> - Eventing:
> - For writing a UI on top of redfish, something like SSE is a nice-to-
> have to avoid polling in the browser. There are a couple of proposed SSE
> extensions that have not yet been approved.
> - How much work to implement SSE support to do things like
> watch Property changes?
It currently supports a websocket based evented endpoint that can pass propertychanged events to a browser. Adding SSE to this implementation should be relatively easy, but I question the value add over having a websocket eventing protocol.
> - Is the standard redfish eventing model supported?
Not yet, but nothing in the design precludes it, and other eventing models are supported.
> - Security model integrated with eventing? Do eventing records get
> the same security treatment as GET requests?
Can you clarify the question a bit, I'm not sure I quite understand? Assuming you mean that server side eventing is integrated with the rest of the auth model, yes, for websockets clients are verified on connection using cookie authentication.
> - Development: can it run outside of openbmc?
Yes, although we're considering dropping this, as it is causing some headaches with dependency management and versioning.
> - Special sauce: is there anything not captured above that makes the
> implementation special in any way?
Some questions we should also add:
Can it host phosphor-webui?
Yes, although a few endpoints are missing on my systems, but the authentication and login flows function, it should just be a matter of adding the 2 missing endpoints.
Does it generate a self signed SSL certificate on first boot?
Does it support websockets? (will matter when KVM and SOL are implemented)
Is it built asynchronously in such a way that long running requests do not block quick requests? (production requirement I've heard some people voice before)
> -----Original Message-----
> From: Brad Bishop [mailto:bradleyb at fuzziesquirrel.com]
> Sent: Tuesday, January 30, 2018 7:30 PM
> To: Brown, Michael E <Michael_E_Brown at Dell.com>
> Cc: alirhas at microsoft.com; Rao, Balaji B <Balaji_B_Rao at dell.com>; Vancil,
> Paul <Paul_Vancil at Dell.com>; Tanous, Ed <ed.tanous at intel.com>;
> rolfb at us.ibm.com; jwcarman at us.ibm.com; Hariharasubramanian
> Ramasubramanian <hramasub at in.ibm.com>; pradeep.kumar36 at tcs.com;
> OpenBMC Maillist <openbmc at lists.ozlabs.org>
> Subject: Redfish on OpenBMC
> Hi Michael
> The project could really use someone to get everyone that has expressed
> interest in the future of Redfish support in OpenBMC rowing in the same
> direction. So thank you for volunteering to lead that conversation at the
> community call yesterday.
> I’ve CC’ed everyone that I know of that has expressed an interest.
> OpenBMC community: feel free to speak up if you’d like to be involved and I
> forgot you.
> The only thing I’d ask is to please post links to any meetings, minutes, or
> correspondence here on the list, so everyone can easily keep up with how
> things are going or jump in to provide feedback.
> thanks again
More information about the openbmc