Difference between revisions of "HowTo Headless Intel NUC vPro AMT"
(Created page with "== Background == We purchased a Intel NUC (NUC7i7DNHE to be precise) with Intel's vPro AMT support in July 2018 to act as a new headless build machine when doing NST software...")
(→Enabling KVM (VNC) Without A Monitor)
|Line 61:||Line 61:|
=== Enabling KVM (VNC) Without A Monitor ===
=== Enabling KVM (VNC) Without A Monitor ===
The default BIOS setting for the Intel NUC7i7DNHE made it impossible to manage the system using VNC unless a monitor was physically plugged into the system. We found that we needed to go into the BIOS and configure the display for ''Headless'' operation as shown below in a remote VNC session running in '''meshcommander'''.
The default BIOS setting for the Intel NUC7i7DNHE made it impossible to manage the system using VNC unless a monitor was physically plugged into the system. We found that we needed to go into the BIOS and configure the display for ''Headless '' operation as shown below in a remote VNC session running in '''meshcommander'''.
Revision as of 15:40, 23 July 2018
- 1 Background
- 2 Finding Intel AMT Enabled Systems
- 3 Headless Configuration
- 4 Linux Tools
We purchased a Intel NUC (NUC7i7DNHE to be precise) with Intel's vPro AMT support in July 2018 to act as a new headless build machine when doing NST software development. This page describes some of findings related to setting up the Intel NUC as a headless server running NST 28. Many of these findings will apply to other Linux distributions especially those that are based on Fedora.
Finding Intel AMT Enabled Systems
The following nmap command can be used to scan a single host for Intel AMT related ports:
[pkb@refritos ~]$ nmap -Pn -p 623,664,5900,9971,16992-16995 192.168.7.57 Starting Nmap 7.70SVN ( https://nmap.org ) at 2018-07-23 16:21 EDT Nmap scan report for beans.attlocal.net (192.168.7.57) Host is up (0.0021s latency). PORT STATE SERVICE 623/tcp open oob-ws-http 664/tcp closed secure-aux-bus 5900/tcp open vnc 9971/tcp closed unknown 16992/tcp open amt-soap-http 16993/tcp closed amt-soap-https 16994/tcp open amt-redir-tcp 16995/tcp closed amt-redir-tls Nmap done: 1 IP address (1 host up) scanned in 6.54 seconds [pkb@refritos ~]$
This scan can take a long time if you do an entire network. If you have enabled your AMT systems to respond to ICMP pings, you can drop the -Pn option to try and speed up the scan.
Unable to Scan Self
This may be obvious, but just to be clear, you can not scan yourself. AMT will only allow connections from external machines. If you try to scan yourself, nmap will show all ports as closed as demonstrated below (after logging into the 192.168.7.57) machine:
[pkb@beans ~]$ nmap -p 623,664,5900,9971,16992-16995 192.168.7.57 Starting Nmap 7.70SVN ( https://nmap.org ) at 2018-07-24 00:25 EDT Nmap scan report for beans.attlocal.net (192.168.7.57) Host is up (0.000038s latency). PORT STATE SERVICE 623/tcp closed oob-ws-http 664/tcp closed secure-aux-bus 5900/tcp closed vnc 9971/tcp closed unknown 16992/tcp closed amt-soap-http 16993/tcp closed amt-soap-https 16994/tcp closed amt-redir-tcp 16995/tcp closed amt-redir-tls Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds [pkb@beans ~]$
While this makes sense (AMT is designed to manage servers out of band), it can sometimes be easy to forget.
If the scan shows that port 16992 or 16993 is open, you should be to open up a connection to the simple AMT web interface using a web browser. For example, if in the previous scan, 192.168.7.57 showed that port 16992 was open. This indicates that a HTTP connection (http://192.168.7.57:16992/) should work. However, since port 16993 was shown as closed, we would not expect to be able to open a HTTPS connection (https://192.168.7.57:16993/ will not work).
Again, you will need to be on a different system in order to access the AMT web interface of the system you want to connect to.
Enabling KVM (VNC) Without A Monitor
The default BIOS setting for the Intel NUC7i7DNHE made it impossible to manage the system using VNC unless a monitor was physically plugged into the system. We found that we needed to go into the BIOS and configure the display for Headless display emulation operation as shown below in a remote VNC session running in meshcommander.
Enabling KVM (VNC) Without A Keyboard
We also found that if we attempted to use the meshcommander web interface to power our NUC directly to the BIOS, we could only view the screen in a VNC connection unless a USB keyboard/mouse was physically connected to the system. While we were unable to find a BIOS setting to address this issue, we did find a suitable work around. Instead of issuing a command to powering up directly to the BIOS, we did the following:
- Started a VNC session to the AMT system (using the meshcommander web interface).
- Powered up the system remotely (using the meshcommander web interface).
- Pressed the F2 key at the boot screen when it appeared in our VNC session to enter the BIOS.
Entering the BIOS in this manner fooled the system into thinking that our VNC connection was providing the necessary keyboard/mouse to control the BIOS settings.
Additional Hardware Notes
Running gnome-disks to benchmark the disk read speed showed that the Samsung 970 EVO NVME SSD was operating at about half speed. While the access times looked good, the transfer rates looked slow (at least compared to what you would expect form the 970 EVO). After a bit of googling it looks like this is a known issue with this combination (see: https://communities.intel.com/thread/126725). Hopefully there will be a BIOS update that will address this in the near future.
The MeshCommander project (see: http://www.meshcommander.com/meshcommander) provides an incredible tool for working with Intel vPro AMT systems on your network. It works as follows:
- You install the npm and nodejs package for your platform on the system that will act as the central manager.
- You npm install the meshcommander package.
- You start the meshcommander server.
- You point your browser at http://127.0.0.1:3000/ (or alternate IPv4 address if you enabled the --any option).
- Using the web interface, you add and manage Intel AMT systems on your LAN to the meshcommander web interface.
Once a system has been successfully added and configured, you can bring up an out of band serial or remote desktop (VNC) to each managed system.
For more information about setting up and running the meshcommander server, see: https://www.npmjs.com/package/meshcommander. The server is fairly light and can run on minimal hardware if desired (we have run it on a Raspberry PI 3 to manage Intel systems on the network).
The amtterm Package
The amtterm package is available in Fedora, however it is missing a dependency, to install:
sudo yum install amtterm
It provides the amtterm, gamt and amttool utilities and maybe most importantly, the amt-howto man page.
Both amtterm and gamt term can be used to connect to the out of band serial port on an Intel system with AMT support (provided out of band serial access is enabled). The amtterm utility is a console application where as gamt is a GUI version.
The amttool relies on an older SOAP method that is no longer supported in recent AMT releases. If you need to use this tool (most likely you won't), you will need to install the perl-SOAP-Lite package.
The mei-amt-check Tool
The AMT Status Checker for Linux (mei-amt-check) tool is a simple command that allows you detect whether or not your Intel based system supports Intel's vPro AMT out of band management. The following shows what the command reports on a system with AMT support (an Intel NUC7i7DNHE):
[pkb@beans ~]$ sudo /usr/sbin/mei-amt-check AMT present: true AMT provisioning state: provisioned Flash: 11.8.50 Netstack: 11.8.50 AMTApps: 11.8.50 AMT: 11.8.50 Sku: 16392 VendorID: 8086 Build Number: 3425 Recovery Version: 11.8.50 Recovery Build Num: 3425 Legacy Mode: False [pkb@beans ~]$
The following shows what the tool displays on an Intel based system that does not have AMT support:
[pkb@refritos ~]$ sudo /usr/sbin/mei-amt-check Error: Management Engine refused connection. This probably means you don't have AMT [pkb@refritos ~]$
Information for building and running this handy tool can be found at: https://github.com/mjg59/mei-amt-check.
Starting with NST 28, the NST source code contains the tools to build an mei-amt-check package.
WS Management Command Line Interface
The wsmancli package provides provides the wsman and wsevtmgr utilities that can be used to query and monitor AMT based systems. To install:
yum install wsmancli
These tools are a bit difficult to use. Here is an example of using the wsman command to get identity information from an AMT based system (change AMT_PASS to the password your AMT system requires and 192.168.8.13 to the IPv4 address of your AMT based system):
[pkb@refritos ~]$ export WSMAN_PASS=AMT_PASS [pkb@refritos ~]$ export WSMAN_USER=admin [pkb@refritos ~]$ wsman -h 192.168.8.13 -P 623 identify <?xml version="1.0" encoding="UTF-8"?> <a:Envelope xmlns:a="http://www.w3.org/2003/05/soap-envelope" xmlns:b="http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd" xmlns:c="http://schemas.dmtf.org/wbem/dash/1/dash.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <a:Header/> <a:Body> <b:IdentifyResponse> <b:ProtocolVersion>http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd</b:ProtocolVersion> <b:ProductVendor>Intel(r)</b:ProductVendor> <b:ProductVersion>AMT 11.8</b:ProductVersion> <c:DASHVersion>1.0.0</c:DASHVersion> <b:SecurityProfiles> <b:SecurityProfileName>http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/http/digest</b:SecurityProfileName> <b:SecurityProfileName>http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/https/digest</b:SecurityProfileName> <b:SecurityProfileName>http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/https/mutual/digest</b:SecurityProfileName> <b:SecurityProfileName>http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/http/spnego-kerberos</b:SecurityProfileName> <b:SecurityProfileName>http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/https/spnego-kerberos</b:SecurityProfileName> <b:SecurityProfileName>http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/https/mutual/spnego-kerberos</b:SecurityProfileName> </b:SecurityProfiles> </b:IdentifyResponse> </a:Body> </a:Envelope> [pkb@refritos ~]$