Translate

Image of RHCE Red Hat Certified Engineer Linux Study Guide (Exam RH302) (Certification Press)
Image of Advanced Programming in the UNIX Environment, Second Edition (Addison-Wesley Professional Computing Series)
Image of Android Wireless Application Development
Image of XSLT 2.0 and XPath 2.0 Programmer's Reference (Programmer to Programmer)

OpenLMI - Open Linux Management Interface

According to the OpenLMI project webpage:

OpenLPI provides a common infrastructure for the management of Linux systems. Capabilities include configuration, management and monitoring of hardware, operating systems, and system services. OpenLMI includes a set of services that can be accessed both locally and remotely, multiple language bindings, standard APIs, and standard scripting interfaces.

OpenLMI is a another attempt by Red Hat to provide unified management of Linux systems. This is not their first attempt to provide such functionality. Their previous (failed) attempt back in the 2010/2011 era was called Matahari and was based on Apache Qpid QMF (AMQP Messaging – Qpid Management Framework). The Matahari agent framework (matahari-*) packages were deprecated in the Red Hat Enterprise Linux 6.3 release.

It is based on DTMF (Distributed Management Task Force) CIM (Common Information Model). Yes, I hear your groans! I also groaned when I first heard about OpenLMI and its use of CIM. I have many scars from using CIM in the late 1990s. In my humble opinion, some of the CIM schemas make no sense except to individual companies. For example the DMTF networking schema was essentially written by Citrix and is probably only used by Citrix. BTW, DMTF used be called the Desktop Management Task Force.

The primary focus of OpenLMI appears to be configuring and managing enterprise hardware, especially storage and networks. OpenLMI can be used on either physical servers or on virtual machine guests. By design, OpenLMI provides a common management interface to multiple versions of Red Hat Enterprise Linux (RHEL) and Fedora. It is intended to provide an abstraction layer to hide much of the complexity of the underlying system from systems administrators.

Architecturally, OpenLMI consists of system management agents installed on a managed system, a controller to manage these agents and provide an interface to them, and client applications or scripts which call the management agents through the controller. OpenLMI leverages existing standard-based infrastructure components already existing in RHEL and Fedora such as Pegasus CIMOM but provides new (OpenLMI) system agents. Note that CIMOM (Common Information Model Object Manager) is also a CIM object. System agents are more commonly called providers in OpenLMI.

Providers currently available include:

  • Networking – providers for network management
  • Account Management – providers for management of users and groups
  • Proxy – generator of provider handing over requests processing to CIMMOM
  • Storage Management – providers for management of storage and mounting. It uses Blivet, the former Anaconda storage library, to manage storage.
  • Software Management – providers for management of software

OpenLMI does not attempt to deliver a complete systems management solution. It simply provides the low-level functions, capabilities and interfaces (APIs) that can be called from scripts or system management consoles. Supported interfaces include C, C++, Python, Java, and a OpenLMI shell. These interfaces are implemented as language bindings to the underlying system agents.

Fedora 19 does not install OpenLMI by default. An OpenLMI controller and a set of OpenLMI agents must be installed on the system to be managed. Specifically, OpenLMI requires you to install WBEM (Web-Based Enterprise Management) support on your system. Either OpenPegasus or the Small Footprint CIM Broker (SFCB) package can be used. OpenPegasus is an open-source implementation of the DMTF CIM and WBEM standards. It is written in C++ and is a comprehensive implementation. SFCB is a CIM server for resource-constrained and embedded environments. It is written in C and designed to be modular and lightweight. For the purposes of this blog, I used the OpenPegasus package.

If you use the Pegasus package, a user called pegasus is created on your system. You have to set the password for pegasus using the passwd command and then restart the tog-pegasus service.

Another package that I installed was YAWN (Yet Another WBEM Navigator). YAWN is a web browser-based CIM client. It runs under Apache and requires mod-python. Currently YAWN works with SFCB, Pegasus, and OpenWBEM.

To show you how convoluted and unwieldy CIM namespaces can be, let us use YAWN to explore what CIM exposes. If you point your favourite web browser to http://localhost/yawn/, this is the initial webpage that you should be:

Type in localhost as the Host, and click the Login button. After entering the credentials for the pegasus user, you should see a list of namespaces.

Select root/cimv2 and all the CIM classes for root/cimv2 are displayed.

If you select the Linux_UnixProcess class you will see a webpage something like the following:

Click on the Instance names link to get a listing of all instances of Linux_UnixProcess. Essentially, this is a listing of all the processes on your system:

Here is what the output looks like if I get details of instance (process) number 9:

You can also programmatically obtain information from CIMOM about processes and more. Here is an example of how to use the lmishell to get information about processes.

$ cat demo.py
#!/usr/bin/lmishell

c = connect("localhost", "user", "password")

procs = c.root.cimv2.Linux_UnixProcess.instances()
for p in procs:
    # print "{} {} {} {}".format(p.handle, p.ParentProcessID, p.Name, p.CreationDate)
    print "%6s %6s %s %s" % (p.handle, p.ParentProcessID, p.CreationDate, p.Name)

$ ./demo.py
     1      0              systemd 20130711002020.000000-300
     2      0             kthreadd 20130711002020.000000-300
     3      2          ksoftirqd/0 20130711002020.000000-300
     5      2         kworker/0:0H 20130711002020.000000-300
     7      2         kworker/u:0H 20130711002020.000000-300
     8      2          migration/0 20130711002020.000000-300
     9      2               rcu_bh 20130711002020.000000-300
    10      2            rcu_sched 20130711002020.000000-300
    11      2           watchdog/0 20130711002020.000000-300
    12      2           watchdog/1 20130711002020.000000-300
    13      2          migration/1 20130711002020.000000-300
    14      2          ksoftirqd/1 20130711002020.000000-300
    16      2         kworker/1:0H 20130711002020.000000-300
    17      2           watchdog/2 20130711002020.000000-300
    18      2          migration/2 20130711002020.000000-300
    19      2          ksoftirqd/2 20130711002020.000000-300
    21      2         kworker/2:0H 20130711002020.000000-300
    22      2           watchdog/3 20130711002020.000000-300
    23      2          migration/3 20130711002020.000000-300
    24      2          ksoftirqd/3 20130711002020.000000-300
    26      2         kworker/3:0H 20130711002020.000000-300
    27      2              khelper 20130711002020.000000-300
    28      2            kdevtmpfs 20130711002020.000000-300
    29      2                netns 20130711002020.000000-300
    30      2          bdi-default 20130711002020.000000-300
    31      2          kintegrityd 20130711002020.000000-300
    32      2              kblockd 20130711002020.000000-300
    33      2              ata_sff 20130711002020.000000-300
    34      2                khubd 20130711002020.000000-300
    35      2                   md 20130711002020.000000-300
    60      2              kswapd0 20130711002020.000000-300
    61      2                 ksmd 20130711002020.000000-300
    62      2           khugepaged 20130711002020.000000-300
    63      2        fsnotify_mark 20130711002020.000000-300
    64      2               crypto 20130711002020.000000-300
    72      2             kthrotld 20130711002020.000000-300
    75      2            scsi_eh_0 20130711002020.000000-300
    76      2            scsi_eh_1 20130711002020.000000-300
    77      2            scsi_eh_2 20130711002020.000000-300
    78      2            scsi_eh_3 20130711002020.000000-300
    79      2            scsi_eh_4 20130711002020.000000-300
    80      2            scsi_eh_5 20130711002020.000000-300
    86      2            kpsmoused 20130711002020.000000-300
    88      2              deferwq 20130711002020.000000-300
    96      2              kauditd 20130711002021.000000-300
   149      2         kworker/1:1H 20130711002021.000000-300
   151      2            scsi_eh_6 20130711002021.000000-300
   152      2            scsi_wq_6 20130711002021.000000-300
   153      2         kworker/0:1H 20130711002021.000000-300
   154      2         kworker/3:1H 20130711002021.000000-300
   157      2         kworker/2:1H 20130711002021.000000-300
   166      2          jbd2/sda3-8 20130711002027.000000-300
   167      2      ext4-dio-unwrit 20130711002027.000000-300
   207      1     systemd-journald 20130711002029.000000-300
   217      1              lvmetad 20130711002030.000000-300
   235      1        systemd-udevd 20130711002031.000000-300
   288      2            hd-audio0 20130711002032.000000-300
   309      2      kvm-irqfd-clean 20130711002032.000000-300
   335      2          jbd2/sda2-8 20130711002035.000000-300
   336      2      ext4-dio-unwrit 20130711002035.000000-300
   349      2          jbd2/sda5-8 20130711002037.000000-300
   350      2      ext4-dio-unwrit 20130711002037.000000-300
   353      2          jbd2/sdb1-8 20130711002038.000000-300
   354      2      ext4-dio-unwrit 20130711002038.000000-300
   359      1               auditd 20130711002038.000000-300
   365    359              audispd 20130711002038.000000-300
   367    365           sedispatch 20130711002038.000000-300
   375      1              alsactl 20130711002038.000000-300
   377      1               python 20130711002038.000000-300
   379      1           irqbalance 20130711002038.000000-300
   382      1               smartd 20130711002038.000000-300
   384      1             rsyslogd 20130711002038.000000-300
   388      1       systemd-logind 20130711002038.000000-300
   389      1                  gpm 20130711002038.000000-300
   390      1                cupsd 20130711002038.000000-300
   391      1          dbus-daemon 20130711002038.000000-300
   393      1              chronyd 20130711002038.000000-300
   394      1                  gdm 20130711002038.000000-300
   395      1                crond 20130711002038.000000-300
   396      1                  atd 20130711002038.000000-300
   401      1                acpid 20130711002038.000000-300
   403      1               mcelog 20130711002038.000000-300
   407    394     gdm-simple-slave 20130711002038.000000-300
   413      1               colord 20130711002045.000000-300
   415      1       NetworkManager 20130711002045.000000-300
   440    407                 Xorg 20130711002045.000000-300
   455      1        modem-manager 20130711002045.000000-300
   461      1             libvirtd 20130711002045.000000-300
   465      1              rpcbind 20130711002045.000000-300
   483      1                httpd 20130711002045.000000-300
   485      1                 sshd 20130711002045.000000-300
   488      1      accounts-daemon 20130711002045.000000-300
   544      1            sendmail: 20130711002045.000000-300
   586      1            sendmail: 20130711002045.000000-300
   731      1   console-kit-daemon 20130711002046.000000-300
   934      1              upowerd 20130711002047.000000-300
  1029      1         rtkit-daemon 20130711002047.000000-300
  1095    483                httpd 20130711002048.000000-300
  1096    483                httpd 20130711002048.000000-300
  1097    483                httpd 20130711002048.000000-300
  1098    483                httpd 20130711002048.000000-300
  1099    483                httpd 20130711002048.000000-300
  1123      1              dnsmasq 20130711002048.000000-300
  1269    407   gdm-session-worker 20130711002111.000000-300
  1277      1 gnome-keyring-daemon 20130711002115.000000-300
  1279   1269        gnome-session 20130711002115.000000-300
  1287      1          dbus-launch 20130711002115.000000-300
  1288      1          dbus-daemon 20130711002115.000000-300
  1352      1                gvfsd 20130711002115.000000-300
  1373      1           gvfsd-fuse 20130711002115.000000-300
  1447      1  at-spi-bus-launcher 20130711002116.000000-300
  1451   1447          dbus-daemon 20130711002116.000000-300
  1454      1    at-spi2-registryd 20130711002116.000000-300
  1463   1279 gnome-settings-daemon 20130711002116.000000-300
  1480      1           pulseaudio 20130711002116.000000-300
  1502      1 gvfs-udisks2-volume-monitor 20130711002117.000000-300
  1504      1              udisksd 20130711002117.000000-300
  1509   1480         gconf-helper 20130711002117.000000-300
  1512      1             gconfd-2 20130711002117.000000-300
  1515      1 gvfs-gphoto2-volume-monitor 20130711002117.000000-300
  1519      1 gvfs-afc-volume-monitor 20130711002117.000000-300
  1531      1          gsd-printer 20130711002118.000000-300
  1533      1        dconf-service 20130711002118.000000-300
  1545   1279          gnome-shell 20130711002118.000000-300
  1550      1          ibus-daemon 20130711002118.000000-300
  1558   1550           ibus-dconf 20130711002118.000000-300
  1561      1             ibus-x11 20130711002118.000000-300
  1569      1 gnome-shell-calendar-server 20130711002118.000000-300
  1577      1 evolution-source-registry 20130711002119.000000-300
  1583      1    mission-control-5 20130711002119.000000-300
  1588   1550   ibus-engine-simple 20130711002119.000000-300
  1590      1           goa-daemon 20130711002119.000000-300
  1624   1279            nm-applet 20130711002119.000000-300
  1627   1279               python 20130711002119.000000-300
  1632   1279     tracker-miner-fs 20130711002119.000000-300
  1633   1279     deja-dup-monitor 20130711002119.000000-300
  1635   1279        tracker-store 20130711002119.000000-300
  1636   1279 evolution-alarm-notify 20130711002120.000000-300
  1656   1279          abrt-applet 20130711002120.000000-300
  1674      1 evolution-calendar-factory 20130711002121.000000-300
  1694   1279    zeitgeist-datahub 20130711002121.000000-300
  1701      1     zeitgeist-daemon 20130711002121.000000-300
  1755      1        zeitgeist-fts 20130711002121.000000-300
  1808   1755                  cat 20130711002121.000000-300
  1831      1 evolution-addressbook-factory 20130711002122.000000-300
  1873      1           gvfsd-burn 20130711002124.000000-300
  3152      2        lpfc_worker_0 20130711034101.000000-300
  3155      2         kworker/u:28 20130711034101.000000-300
  3156      2         kworker/u:29 20130711034101.000000-300
  3764      1 gnome-terminal-server 20130711044843.000000-300
  3767   3764     gnome-pty-helper 20130711044843.000000-300
  3768   3764                 bash 20130711044843.000000-300
  6306    415             dhclient 20130711121940.000000-300
  6690      1       gvfsd-metadata 20130711131148.000000-300
  7069      1          gvfsd-trash 20130711140717.000000-300
  7423      2          kworker/3:2 20130711141548.000000-300
  7513      1              polkitd 20130711144803.000000-300
  8389      2          kworker/2:2 20130711170830.000000-300
  8404      2          kworker/1:0 20130711171356.000000-300
  8453      2          kworker/1:1 20130711172515.000000-300
  8567   1545              firefox 20130711174340.000000-300
  8642    483                httpd 20130711174402.000000-300
  8644    483                httpd 20130711174403.000000-300
  8808      2          kworker/3:0 20130711175401.000000-300
  8843      1            cimserver 20130711175750.000000-300
  9060      2          kworker/0:0 20130711180701.000000-300
  9205      2            flush-8:0 20130711183706.000000-300
  9237      2           flush-8:16 20130711190030.000000-300
  9260      2          kworker/2:0 20130711190100.000000-300
  9589    483                httpd 20130711191642.000000-300
  9590    483                httpd 20130711191643.000000-300
  9591    483                httpd 20130711191643.000000-300
  9906   3764                 bash 20130711193523.000000-300
  9994      2          kworker/0:1 20130711193700.000000-300
 10063   8567     plugin-container 20130711193829.000000-300
 10096   1545             nautilus 20130711193959.000000-300
 10155      1           cimprovagt 20130711194458.000000-300
 10194      1          packagekitd 20130711194803.000000-300
 10229   3768               python 20130711194912.000000-300
 10230  10155                   sh None
 10231  10230                   ps None


Security in OpenLMI is problematic. For example, I can, as a regular user, return the encoded password of another user if I know the CIMOM username and password.

$ cat demo1.py
#!/bin/lmishell

c = connect("localhost", "username", "passsword")

p = c.root.cimv2.LMI_Account.first_instance(key="name", value="root")
print "{} {}".format (p.Name, p.userPassword)

$ ./demo1.py
root [u'$6$OeHcJ066CyxGYah5$248KbUKRDZ/d8JAbouLsmkLTXZhAQeUMrY8YaMlF5kAQt754logoG9VwuWrLcaCPb0b3lcw0Qui2kBNRmGJNx0']


Note how easy it is the retrieve the encrypted password for root from /etc/shadow. We also get the password encoding scheme (6 = SHA256) and the salt!

$ cat demo2.py
#!/bin/python

import pywbem

url = "https://localhost:5989"
username = "pegasus"
password = "password"

c = pywbem.WBEMConnection(url, (username, password),)
slct = 'select Name, userPassword from LMI_Account where Name = "root"'
#print c.ExecQuery('WQL', slct)[0].tomof()
p = c.ExecQuery('WQL', 'select Name, userPassword from LMI_Account where Name = "root"')
print p[0].tomof()

$ ./demo2.py
instance of LMI_Account {
	UserPassword = {"$6$OeHdJ066CyxGYah5$248KbUPRDZ/d8JAbouLsmkLTXZqAQeUMrY8YxMlF2kAQt754lggoG9VsuWrLcaCPb0b4lcw0Qui2kKNRmAJNx0"};
	Name = "root";
};


As you can see from the above, this is not a specific problem with lmishell; it is a systematic problem. pywbem is a Python library for making CIM operations over HTTP using the WBEM CIM-XML protocol. YAWN also uses pywbem. In pywbem, the local namespace is root/cimv2.

If you install the sblim-wbemcli package you call also access this data using wbemcli

$ wbemcli -noverify gi -nl 'https://pegasus:password@localhost:5989/root/cimv2:LMI_Account.Name="root",CreationClassName="LMI_Account",SystemCreationClassName="Linux_ComputerSystem",SystemName="ultra.xfpmurphy.com"'

localhost:5989/root/cimv2:LMI_Account.Name="root",CreationClassName="LMI_Account",SystemCreationClassName="Linux_ComputerSystem",SystemName="ultra.xfpmurphy.com"
-InstanceID=
-Caption=
-Description=
-ElementName="root"
-Generation=
-InstallDate=
-OperationalStatus=
-StatusDescriptions=
-Status=
-HealthState=
-CommunicationStatus=
-DetailedStatus=
-OperatingStatus=
-PrimaryStatus=
-EnabledState=5
-OtherEnabledState=
-RequestedState=12
-EnabledDefault=2
-TimeOfLastStateChange=
-AvailableRequestedStates=
-TransitioningToState=12
-SystemCreationClassName="Linux_ComputerSystem"
-SystemName="ultra.xfpmurphy.com"
-CreationClassName="LMI_Account"
-Name="root"
-UserID="0"
-ObjectClass=
-Descriptions=
-Host="ultra.xfpmurphy.com"
-LocalityName=
-OrganizationName=""
-OU=
-SeeAlso=
-UserCertificate=
-UserPassword="$6$OeHcJ066CyxGYah5$268KbUKRDZ/d8JAGoismkLTXZqAQeUOrY8YxMlF5kAQt754lggoG9VsuWrLcaCPb0b3lcw0Qui2kKNRmGJNx0"
-PasswordHistoryDepth=
-PasswordExpiration=
-ComplexPasswordRulesEnforced=
-InactivityTimeout=
-MaximumSuccessiveLoginFailures=
-LastLogin=20130704161216.000000+000
-UserPasswordEncryptionAlgorithm=
-OtherUserPasswordEncryptionAlgorithm=
-UserPasswordEncoding=2
-HomeDirectory="/root"
-LoginShell="/bin/bash"
-PasswordLastChange=20120519000000.000000+000
-PasswordPossibleChange=00000000000000.000000:000
-PasswordExpirationWarning=
-PasswordInactivation=
-AccountExpiration=

OpenLMI is in the early stage of development. Not all functionality is available. The OpenLMI developers appear to welcome input from interested parties and that is goodness. Will OpenLMI succeed? Possibly if OpenLMI successfully integrates with established control panels like cPanel or Plesk. However, until the security holes in OpenLMI are plugged, no system administrator should deploy OpenLMI on any systems that need to be secure.

Comments are closed.