Redfish on OpenBMC

Michael E Brown Michael.E.Brown at
Tue Feb 6 17:56:59 AEDT 2018

On Thu, Feb 01, 2018 at 05:23:40PM +0000, Tanous, Ed wrote:
> Answers for the bmcweb implementation inline below.

All the answers for this implementation sound great. I'll have to take a closer look at the implementation.

> -Ed
> >    - Do you have a redfish server implementation?
> Yes.
> >    - Is it Open Source?
> Yes.
> The folder labeled redfish-core is specific to the redfish portion.
> > 	- What is the license?
> Apache 2.0
> > 	- Is it posted to github or other public source control?
> Yes
> >    - Does it pass the DMTF redfish service validator?
> It did 3 weeks ago;  A minor authentication bug snuck in that causes it to fail on service root, but that bug should be resolved in the next week.
> >    - What language is it written in?
> C++14
> >    - How big is it?
> Compiled and stripped size was on the order of 700KB when LTO is enabled, before filesystem compression.  This includes more than just the redfish implementation, so I would have to get some specifics on a stripped down redfish-only binary size.
> >    - Can it be easily extended/re-used by anybody else shipping compliant
> > openbmc implementations?
> It was intended for use in OpenBmc.  There are designs to attempt to make it more generic, but those are not yet upstream.  My #1 priority is enabling OpenBmc, #2 is building a generic library that can be used outside of openbmc.
> > 	- Can you add OEM extensions to existing Redfish Resources without
> > "forking" the codebase?
> Yes, but these extension examples are not open source yet.

I'm curious: "not open source yet"? So, you have two forks of this codebase? It sounds like you have an internal Intel one and this one that you are migrating code between. How does that process work?

> > 	- Can you change the implementation for a single Redfish Resource
> > Property without forking?
> Nothing in the design precludes it, but it is not yet implemented.  The assumption was that data would be backed by dbus to be consistent with the other openbmc interfaces, and any modifications should be done in dbus daemons outside the webserver.

I'll have to take a look at the source, because I think you interpreted the question differently than I intended.

> > 	- Can you add new Redfish Resources without forking?
> Not really sure what this question is specifying.  Redfish resources are backed by DBus, so yes.  With that said, schemas are required to be added in code.
> >    - Performance
> > 	- How fast is it?
> Time to first byte times are constrained by the response times of dbus and openssl as the webserver has yet to implement caching.  It seems to be relatively performant, but I haven't measured these recently on an AST2500 system.  We likely should normalize these to a single processor to avoid processor specific timing info.  My vote would be to measure all against an AST2500, as it seems to be a decent middle of the road example of a system.

I can agree on baselining the benchmarking so we compare apples to apples. I have access to only Nuvoton system, though, so I'd have to work on getting my stuff tested on AST.

> > 	- Does it implement SSL?
> Yes, and generates its own self signed certificate and private key on first boot.


> >    - Security
> > 	- What is the security model?
> Authentication is handled by a single middlelayer that filters all requests before executing endpoint specific code.  Authentication is backed by pam.  Authorization and user roles are yet to be implemented, but I have patches that can be made public if people are interested.  I suspect we need to have a greater discussion around authorization for OPenBmc as a whole, and how IPMI and Redfish can share a common model.

Yes, we absolutely need to have a better discussion about how we implement a more cohesive security model.

> > 	- Non-root support? Can it run as a non-privileged user?
> Yes, although the patches to do this are still in review.
> > 	- Does it implement basic authentication and the redfish spec x-auth-
> > token authentication?
> Yes.  As well it also supports cookie authentication (to host the webserver) with CSRF prevention.  Currently, both of those are required to be able to host phosphor-webui from the same server.

Sounds good. I should have added in there OAuth 2.0 support, if we do OpenID Connect support at some point, it would be nice to have OAuth support to build on.

> > 	- Does it implement the redfish standard privilege map model?
> Patches to do this are in (not open source) review.  We should have a discussion about how privilege maps should be backed.

Same with all of the privilege model questions.

> >    - Eventing:
> > 	- For writing a UI on top of redfish, something like SSE is a nice-to-
> > have to avoid polling in the browser. There are a couple of proposed SSE
> > extensions that have not yet been approved.
> > 		- How much work to implement SSE support to do things like
> > watch Property changes?
> It currently supports a websocket based evented endpoint that can pass propertychanged events to a browser.  Adding SSE to this implementation should be relatively easy, but I question the value add over having a websocket eventing protocol.

Dell is currently working on submitting SSE support to SPMF for standardization. The people I talked with were concerned that websockets were *too* general and would quickly become swamped with feature requests for everything under the sun. SSE seemed way more constrained.

> > 	- Is the standard redfish eventing model supported?
> Not yet, but nothing in the design precludes it, and other eventing models are supported.

Fair enough.

> > 	- Security model integrated with eventing? Do eventing records get
> > the same security treatment as GET requests?
> Can you clarify the question a bit, I'm not sure I quite understand?  Assuming you mean that server side eventing is integrated with the rest of the auth model, yes, for websockets clients are verified on connection using cookie authentication.

Meaning, for example, a user with ReadOnly starts an SSE session, that user should only get propertychanged for redfish elements that are accessible for ReadOnly.

> >    - Development: can it run outside of openbmc?
> Yes, although we're considering dropping this, as it is causing some headaches with dependency management and versioning.

What kind of headaches?

> >    - Special sauce: is there anything not captured above that makes the
> > implementation special in any way?
> Some questions we should also add:
> Can it host phosphor-webui?
> Yes, although a few endpoints are missing on my systems, but the authentication and login flows function, it should just be a matter of adding the 2 missing endpoints.


> Does it generate a self signed SSL certificate on first boot?
> Yes

Does it do only a self-signed server cert? Or does it create a CA and then sign a server cert with the CA?

Does it pass certificate checks on curl/Linux, curl/macos, and chrome? I had to do a bit of work to ensure that everything was compatible across all of the combinations of clients. Does it populate commonName and SAN for all local IPs?

> Does it support websockets?  (will matter when KVM and SOL are implemented)
> Yes
> Is it built asynchronously in such a way that long running requests do not block quick requests?  (production requirement I've heard some people voice before)
> Yes

Super important. Does it also parallelize all of the backend calls?

> -Ed
> > 
> > --
> > Michael
> > 
> > -----Original Message-----
> > From: Brad Bishop [mailto:bradleyb at]
> > Sent: Tuesday, January 30, 2018 7:30 PM
> > To: Brown, Michael E <Michael_E_Brown at>
> > Cc: alirhas at; Rao, Balaji B <Balaji_B_Rao at>; Vancil,
> > Paul <Paul_Vancil at>; Tanous, Ed <ed.tanous at>;
> > rolfb at; jwcarman at; Hariharasubramanian
> > Ramasubramanian <hramasub at>; pradeep.kumar36 at;
> > OpenBMC Maillist <openbmc at>
> > Subject: Redfish on OpenBMC
> > 
> > Hi Michael
> > 
> > The project could really use someone to get everyone that has expressed
> > interest in the future of Redfish support in OpenBMC rowing in the same
> > direction.  So thank you for volunteering to lead that conversation at the
> > community call yesterday.
> > 
> > I’ve CC’ed everyone that I know of that has expressed an interest.
> > OpenBMC community: feel free to speak up if you’d like to be involved and I
> > forgot you.
> > 
> > The only thing I’d ask is to please post links to any meetings, minutes, or
> > correspondence here on the list, so everyone can easily keep up with how
> > things are going or jump in to provide feedback.
> > 
> > thanks again
> > 
> > -brad

More information about the openbmc mailing list