Purpose: This introduces a simplified view of the BMC's primary interfaces. It is intended to provide a reference suitable for a wide audience:
This section shows the BMC's primary interfaces and how they are related. It begins with the BMC's physical interfaces and moves toward abstractions such as network services. The intent is to show the interfaces essential to the OpenBMC project in a framework to reason about which interfaces are present, how they are related. This provides a foundation to reason about which can be disabled, how they are secured, etc. The appendix provides details about each interface and service shown.
OpenBMC's services and the interfaces they provide are controlled by systemd
. This document references OpenBMC systemd
unit names to help link concepts to the source code. The reader is assumed to be familiar with systemd concepts. The templated units ("unit@.service") may be omitted for clarity. Relevant details from the unit file may be shown, such as the program which implements a service.
The OpenBMC Service Management interface can control systemd
services. For example, disabling a BMC service will disable the corresponding external interface.
Diagrams are included to help visualize relationships. The diagrams show management agents on the left side, the BMC in the center, and host elements on the right side. The diagrams are simplified and are not intended to be complete.
This shows the BMC's physical connections including network, USB, UART serial, and connections to its host platform. This uses a simplified view of the host which shows only the host interfaces that connect directly to the BMC. A typical host would have additional connections for console, network, etc.
Interfaces between the BMC and its host platform vary considerably based on BMC and host platform implementation. The information presented in this section and its subsections is intended to illustrate common elements, not to represent any particular system. This section is intended to be referenced by additional documentation which gives details for specific BMC and host implementations.
+----------------+ +----------------+ | BMC | | Host | | | | | | Network -+- LPC ---+- | -+- eth0 -+--PCIe --+- | -+- eth1 -+--UART --+- | | lo -+- I2C ---+- | | -+--I3C ---+- | | USB -+- SPI ---+- | -+- usb0 -+- PECI --+- | | -+- GPIOs -+- | | Serial -+- UTMI --+- | -+- tty0 | | | | | | | +----------------+ +----------------+
This lists protocols that operate over the BMC-host physical interfaces:
This lists specifications for the data which flows over the BMC-host transport protocols:
OpenBMC provides services via its management network. The default services are listed here by port number. More information about each service is given in sections below or in the appendix.
+----------------------------------+ | BMC | | | -+-+ Network services | | | | | +-+ TCP ports | | | +- 22 ssh - shell | | | +- 80 HTTP (no connection) | | | +- 443 HTTPS | | | +- 2200 ssh - host console | | | +- 5355 mDNS service discovery | | | | | +-+ UDP ports | | +- 427 SLP | | +- 623 RMCP+ IPMI | | +- 5355 mDNS service discovery | | | +----------------------------------+
Services provided to connected clients may use ports for:
This section lists network services used by OpenBMC systems. OpenBMC uses the typical services in the usual way, such as NTP, DNS, and DHCP. In addition, OpenBMC uses:
OpenBMC provides access to its host's serial console in various ways:
+---------------------------+ +-----------------+ | BMC | | Host | ipmitool sol | | | | activate | | | | UDP port 623 .... netipmid ------------} | | | | } | | | ssh -p 2200 ... obmc-console-client -}---+----+- serial UART | TCP port 2200 | } | | console | | hostlogger ----------} | | | | | | | +---------------------------+ +-----------------+
The obmc-console details how the host UART connection is abstracted within the BMC as a Unix domain socket.
OpenBMC provides a custom HTTP/Web server called BMCWeb.
+--------------------------------------------------+ | BMC | | | -+-+ Network services | | ++ TCP | | +- 443 HTTPS - BMCWeb -> { static content | | | { Web app (webui) | | +- (other ports) <---+ { Redfish schema | | | | { /login | | V | { Redfish REST APIs | -+- Websockets -+ | { Phosphor REST APIs | | | +<--{-- can set up: | | | { KVM-IP, USB-IP, | | various { Virtual Media | | | +--------------------------------------------------+
In the diagram, the arrowheads represent the flow of control from web agents to BMCWeb APIs, some of which set up Websockets which give the network agent direct communication with the desired interface (not via BMCWeb).
Note that BMCWeb is configurable at compile time. This section describes the default configuration (which serves the HTTP application protocol over the HTTPS transport protocol on TCP port 443).
Services provided:
OpenBMC provides a host IPMI service.
+---------------+ +-----------------+ | BMC | | Host | | | | | | ipmid -+----+- | | | | | +---------------+ +-----------------+
The IPMI firmware firewall (which aims to control which host commands and channels can be used) is not implemented in OpenBMC. There is support for a Phosphor host IPMI whitelist scheme.
OpenBMC uses D-Bus interfaces as the primary way to communicate (inter-process communication) between OpenBMC applications. Note that other methods are used, for example Unix domain sockets.
+--------------------------------------------------+ | BMC | | | | +-------+ | | | D-Bus | | | | -+- bmcweb | | | -+- ipmid | | | -+- ... | | | -+- many more (not shown here) | | | -+- ... | | | | | | +-------+ | | | +--------------------------------------------------+
To learn more, read the Phosphor D-Bus interface docs and search for README files in various subdirectories under the xyz/openbmc_project path.
This section lists each interface and service shown in this document. The intent is to give the relevance of each item and how to locate details in the source code.
This sections shows variations in the operational environment of the BMC's management network.
The BMC may be connected to a network used to manage the BMC. This is dubbed the "management network" to distinguish it from the payload network the host system is connected to. These are typically separate networks.
+-----------+ +----------------+ | BMC | | Host | management | | | | network ---+- Network | | Network -+- payload | | | | network +-----------+ +----------------+
The BMC may be served by a Network Controller Sideband Interface (NC-SI) which maintains a logically separate network from the host, as shown in this diagram:
+-----------+ +----------------+ | BMC | | Host | management | | | | network +-+- Network | | Network -+-+ | | | | | | | +-----------+ +----------------+ | | | | +------------------+ | | | NIC | | | |.........+ -+-------------+ +------+- side- : | management -------+- band : -+- payload network |.........+ | network +------------------+
The BMC's management network may be provided by its host system and have no direct connection external to the host, as shown in this diagram:
+-----------+ +----------------+ | BMC | | Host | | | | | +--+- Network | | Network -+- payload | | | | | network | | | +--+- management | | | | | | network | | +-----------+ | +----------------+ | | +------------------+
The BMC's management network may be connected to USB (LAN over USB):
+-----------+ +----------------+ | BMC | | Host | +-+ | | | | USB --+---+- Network | | Network -+- payload +-+ | | | | network | | | | +-----------+ +----------------+
This gives access to the BMC's console which provides such function as controlling the BMC's U-Boot and then providing access to the BMC's shell. Contrast with the host serial console access.
This refers to the standard NIC and Linux network services on the BMC.
This refers to the SSH protocol which provides both secure shell (ssh) and secure copy (scp) access to the BMC. OpenBMC uses the Dropbear SSH implementation. Note that port 22 connects to the BMC's shell, while port 2200 connects to the host console.
OpenBMC supports the HTTP application protocol over HTTPS, both handled by the BMCWeb server. The "http" URI scheme is disabled by default but can be enabled at compile time by BMCWeb configuration options.
Refers to the BMC's access to its host's serial connection which typically accesses the host system's console. See also obmc-console-server
which provides host serial access to various internal BMC services. Contrast with access to the BMC's serial connection which provides access to the BMC's console.
Refers to the multicast discovery service (mDNS). For example, you can find the BMC via the avahi-browse -rt _obmc_rest._tcp
command.
Refers to the unicast service discovery protocol provided by slpd
. For example, you can find the BMC via the slptool -u ${ip} findsrvtypes or findsrvs
command.
Refers to the RMCP+ protocol and IPMI implementation provided by netipmid
with source here: https://github.com/openbmc/phosphor-net-ipmid
and some details provided by IPMI Session management. Network IPMI provides access to many resources including host IPMI access, SOL (access to the host console), and more. Also known as out of band IPMI. Contrast with host-IPMI which interacts with the host and with Redfish which provides alternate function.
The BMC's RMCP+ IPMI interface is designed to be operated by the [ipmitool][]
external command.
Refers to the host-facing IPMI service provided by the ipmid
program with source here: https://github.com/openbmc/phosphor-host-ipmid
. The systemd service is phosphor-ipmi-host
implemented by the ipmid
program. Also known as in-band IPMI. Contrast with RMCP+ which faces the network and with PLDM which provides alternate function.
This refers to the BMC's command line interface which defaults to the bash
program provided via the /bin/sh
path on the BMC's file system. Note that the shell (together with its utility programs) provides access to many of the BMC's internal and external interfaces.
This refers to support for multiple independent consoles in https://github.com/openbmc/obmc-console and two applications:
obmc-console-server
abstracts the host console (UART) connection as a Unix domain socket.obmc-console-client
can connect a console to an SSH session.Other applications use the console server.
Refers to the BMC service provided by the hostlogger
program here: https://github.com/openbmc/phosphor-hostlogger which listens to the obmc-console-server
and logs host console messages into the BMC's file system.
Refers to the custom HTTP/Web server with source here: https://github.com/openbmc/bmcweb Note that BMCWeb is configurable per https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt with build-time options to control which interfaces it provides. For example, there are configurations options to:
The webserver also sets up Secure Websockets for services such as KVM-IP, Virtual-USB, and more.
Refers to the set of Redfish REST APIs served by the BMCWeb web server. See details here: https://github.com/openbmc/bmcweb/blob/master/Redfish.md with docs here: https://github.com/openbmc/docs/blob/master/REDFISH-cheatsheet.md
Refers to the legacy REST APIs optionally served by the BMCWeb server. Docs: https://github.com/openbmc/docs/blob/master/REST-cheatsheet.md
Refers to the OpenBMC implementation of the Remote Frame Buffer (RFB, aka VNC) protocol which lets you operate the host system's keyboard, video, and mouse (KVM) remotely. See https://github.com/openbmc/obmc-ikvm/blob/master/README.md Also known as IPKvm. Do not confuse with Kernel Virtual Machine (the other KVM).
Also known as: remote media and USB-over-IP. Design: https://github.com/openbmc/docs/blob/master/designs/VirtualMedia.md Contrast with LAN-over-USB.
Also known as USB-over-IP, and helps implement virtual media. Contrast with the BMC and host physical USB ports.