Difference between revisions of "HowTo Headless Intel NUC vPro AMT"

From NST Wiki
Jump to navigationJump to search
(Created page with "== Background == We purchased a Intel NUC (NUC7i7DNHE to be precise) with Intel's vPro AMT support in July 2018 to act as a new headless build machine when doing NST software...")
 
(Enabling KVM (VNC) Without A Monitor)
Line 61: Line 61:
 
=== Enabling KVM (VNC) Without A Monitor ===
 
=== Enabling KVM (VNC) Without A Monitor ===
  
The default BIOS setting for the Intel NUC7i7DNHE made it impossible to manage the system using VNC unless a monitor was physically plugged into the system. We found that we needed to go into the BIOS and configure the display for ''Headless'' operation as shown below in a remote VNC session running in '''meshcommander'''.
+
The default BIOS setting for the Intel NUC7i7DNHE made it impossible to manage the system using VNC unless a monitor was physically plugged into the system. We found that we needed to go into the BIOS and configure the display for ''Headless display emulation'' operation as shown below in a remote VNC session running in '''meshcommander'''.
  
 
[[File:NUC-Headless.jpg]]
 
[[File:NUC-Headless.jpg]]

Revision as of 16:40, 23 July 2018

Background

We purchased a Intel NUC (NUC7i7DNHE to be precise) with Intel's vPro AMT support in July 2018 to act as a new headless build machine when doing NST software development. This page describes some of findings related to setting up the Intel NUC as a headless server running NST 28. Many of these findings will apply to other Linux distributions especially those that are based on Fedora.

Finding Intel AMT Enabled Systems

The following nmap command can be used to scan a single host for Intel AMT related ports:

[pkb@refritos ~]$ nmap -Pn -p 623,664,5900,9971,16992-16995 192.168.7.57
Starting Nmap 7.70SVN ( https://nmap.org ) at 2018-07-23 16:21 EDT
Nmap scan report for beans.attlocal.net (192.168.7.57)
Host is up (0.0021s latency).

PORT      STATE  SERVICE
623/tcp   open   oob-ws-http
664/tcp   closed secure-aux-bus
5900/tcp  open   vnc
9971/tcp  closed unknown
16992/tcp open   amt-soap-http
16993/tcp closed amt-soap-https
16994/tcp open   amt-redir-tcp
16995/tcp closed amt-redir-tls

Nmap done: 1 IP address (1 host up) scanned in 6.54 seconds
[pkb@refritos ~]$ 

This scan can take a long time if you do an entire network. If you have enabled your AMT systems to respond to ICMP pings, you can drop the -Pn option to try and speed up the scan.

Unable to Scan Self

This may be obvious, but just to be clear, you can not scan yourself. AMT will only allow connections from external machines. If you try to scan yourself, nmap will show all ports as closed as demonstrated below (after logging into the 192.168.7.57) machine:

[pkb@beans ~]$ nmap -p 623,664,5900,9971,16992-16995 192.168.7.57
Starting Nmap 7.70SVN ( https://nmap.org ) at 2018-07-24 00:25 EDT
Nmap scan report for beans.attlocal.net (192.168.7.57)
Host is up (0.000038s latency).

PORT      STATE  SERVICE
623/tcp   closed oob-ws-http
664/tcp   closed secure-aux-bus
5900/tcp  closed vnc
9971/tcp  closed unknown
16992/tcp closed amt-soap-http
16993/tcp closed amt-soap-https
16994/tcp closed amt-redir-tcp
16995/tcp closed amt-redir-tls 

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
[pkb@beans ~]$ 

While this makes sense (AMT is designed to manage servers out of band), it can sometimes be easy to forget.

Connecting

If the scan shows that port 16992 or 16993 is open, you should be to open up a connection to the simple AMT web interface using a web browser. For example, if in the previous scan, 192.168.7.57 showed that port 16992 was open. This indicates that a HTTP connection (http://192.168.7.57:16992/) should work. However, since port 16993 was shown as closed, we would not expect to be able to open a HTTPS connection (https://192.168.7.57:16993/ will not work).

Again, you will need to be on a different system in order to access the AMT web interface of the system you want to connect to.

Headless Configuration

Enabling KVM (VNC) Without A Monitor

The default BIOS setting for the Intel NUC7i7DNHE made it impossible to manage the system using VNC unless a monitor was physically plugged into the system. We found that we needed to go into the BIOS and configure the display for Headless display emulation operation as shown below in a remote VNC session running in meshcommander.

File:NUC-Headless.jpg

Enabling KVM (VNC) Without A Keyboard

We also found that if we attempted to use the meshcommander web interface to power our NUC directly to the BIOS, we could only view the screen in a VNC connection unless a USB keyboard/mouse was physically connected to the system. While we were unable to find a BIOS setting to address this issue, we did find a suitable work around. Instead of issuing a command to powering up directly to the BIOS, we did the following:

  • Started a VNC session to the AMT system (using the meshcommander web interface).
  • Powered up the system remotely (using the meshcommander web interface).
  • Pressed the F2 key at the boot screen when it appeared in our VNC session to enter the BIOS.

Entering the BIOS in this manner fooled the system into thinking that our VNC connection was providing the necessary keyboard/mouse to control the BIOS settings.

Additional Hardware Notes

Running gnome-disks to benchmark the disk read speed showed that the Samsung 970 EVO NVME SSD was operating at about half speed. While the access times looked good, the transfer rates looked slow (at least compared to what you would expect form the 970 EVO). After a bit of googling it looks like this is a known issue with this combination (see: https://communities.intel.com/thread/126725). Hopefully there will be a BIOS update that will address this in the near future.

Linux Tools

MeshCommander

The MeshCommander project (see: http://www.meshcommander.com/meshcommander) provides an incredible tool for working with Intel vPro AMT systems on your network. It works as follows:

  • You install the npm and nodejs package for your platform on the system that will act as the central manager.
  • You npm install the meshcommander package.
  • You start the meshcommander server.
  • You point your browser at http://127.0.0.1:3000/ (or alternate IPv4 address if you enabled the --any option).
  • Using the web interface, you add and manage Intel AMT systems on your LAN to the meshcommander web interface.

Once a system has been successfully added and configured, you can bring up an out of band serial or remote desktop (VNC) to each managed system.


For more information about setting up and running the meshcommander server, see: https://www.npmjs.com/package/meshcommander. The server is fairly light and can run on minimal hardware if desired (we have run it on a Raspberry PI 3 to manage Intel systems on the network).

The amtterm Package

The amtterm package is available in Fedora, however it is missing a dependency, to install:

 sudo yum install amtterm

It provides the amtterm, gamt and amttool utilities and maybe most importantly, the amt-howto man page.

Both amtterm and gamt term can be used to connect to the out of band serial port on an Intel system with AMT support (provided out of band serial access is enabled). The amtterm utility is a console application where as gamt is a GUI version.

The amttool relies on an older SOAP method that is no longer supported in recent AMT releases. If you need to use this tool (most likely you won't), you will need to install the perl-SOAP-Lite package.

The mei-amt-check Tool

The AMT Status Checker for Linux (mei-amt-check) tool is a simple command that allows you detect whether or not your Intel based system supports Intel's vPro AMT out of band management. The following shows what the command reports on a system with AMT support (an Intel NUC7i7DNHE):

[pkb@beans ~]$ sudo /usr/sbin/mei-amt-check
AMT present: true
AMT provisioning state: provisioned
Flash:	11.8.50
Netstack:	11.8.50
AMTApps:	11.8.50
AMT:	11.8.50
Sku:	16392
VendorID:	8086
Build Number:	3425
Recovery Version:	11.8.50
Recovery Build Num:	3425
Legacy Mode:	False
[pkb@beans ~]$ 

The following shows what the tool displays on an Intel based system that does not have AMT support:

[pkb@refritos ~]$ sudo /usr/sbin/mei-amt-check 
Error: Management Engine refused connection. This probably means you don't have AMT
[pkb@refritos ~]$ 

Information for building and running this handy tool can be found at: https://github.com/mjg59/mei-amt-check.

Starting with NST 28, the NST source code contains the tools to build an mei-amt-check package.

WS Management Command Line Interface

The wsmancli package provides provides the wsman and wsevtmgr utilities that can be used to query and monitor AMT based systems. To install:

yum install wsmancli

These tools are a bit difficult to use. Here is an example of using the wsman command to get identity information from an AMT based system (change AMT_PASS to the password your AMT system requires and 192.168.8.13 to the IPv4 address of your AMT based system):

[pkb@refritos ~]$ export WSMAN_PASS=AMT_PASS
[pkb@refritos ~]$ export WSMAN_USER=admin
[pkb@refritos ~]$ wsman -h 192.168.8.13 -P 623 identify
<?xml version="1.0" encoding="UTF-8"?>
<a:Envelope xmlns:a="http://www.w3.org/2003/05/soap-envelope" xmlns:b="http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd" xmlns:c="http://schemas.dmtf.org/wbem/dash/1/dash.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <a:Header/>
  <a:Body>
    <b:IdentifyResponse>
      <b:ProtocolVersion>http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd</b:ProtocolVersion>
      <b:ProductVendor>Intel(r)</b:ProductVendor>
      <b:ProductVersion>AMT 11.8</b:ProductVersion>
      <c:DASHVersion>1.0.0</c:DASHVersion>
      <b:SecurityProfiles>
        <b:SecurityProfileName>http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/http/digest</b:SecurityProfileName>
        <b:SecurityProfileName>http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/https/digest</b:SecurityProfileName>
        <b:SecurityProfileName>http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/https/mutual/digest</b:SecurityProfileName>
        <b:SecurityProfileName>http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/http/spnego-kerberos</b:SecurityProfileName>
        <b:SecurityProfileName>http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/https/spnego-kerberos</b:SecurityProfileName>
        <b:SecurityProfileName>http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/https/mutual/spnego-kerberos</b:SecurityProfileName>
      </b:SecurityProfiles>
    </b:IdentifyResponse>
  </a:Body>
</a:Envelope>
[pkb@refritos ~]$