一、用root账号登录并生成token

1.创建一个用例，路径是 https://IP/login，post方法
2.声明数据格式，在Header的Tab页中输入一组key/value
Content-Type/ application/json
3.为登录口令创建加密串，openbmc登录用的加密串，将生成的串存储为参数。
在pre-request-script的Tab页输入

var pw = CryptoJS.enc.Utf8.parse(“xxx”)
var base64 = CryptoJS.enc.Base64.stringify(pw)
pm.environment.set(“originPassword”, base64)

4.输入post方法的参数，使用上一步生成的originPassword参数
在Body的Tab页输入

{“username” : “root”, “password” : “{ {originPassword} }” }

5.完成测试代码，并生成root-token全局变量，这个变量可以在所有的用例中作为登录认证来使用
在Test的Tab页输入

经常要将bmcweb的git库同步到编译服务器上，并更新服务器上的commit号，太繁琐，忍无可忍，拼凑了几个脚本，可以实现自动同步git库和更新commit号的功能，记下来，供大家参考。

主体是4个脚本，不会写大脚本，分开写，再合并为一个脚本命令一键执行,所有脚本创建后都要chmod +x *.sh授予执行权限。

脚本及以下操作都在本地的bmcweb目录中进行。

先查看本地bmcweb中.git/config文件配置如下：

[core]

        repositoryformatversion = 0

        filemode = true

        bare = false

        logallrefupdates = true

[remote "origin"]

        url = git@192.168.x.x:openbmc-v28/github.com.openbmc.bmcweb.git

        fetch = +refs/heads/*:refs/remotes/origin/*

[remote "v28"]

        url = kunlun@192.168.x.18:/home/kunlun/rxsunSource/openbmc-v28/build/downloads/git2/github.com.openbmc.bmcweb.git/

        fetch = +refs/heads/*:refs/remotes/origin/*

[branch "master"]

        remote = origin

        merge = refs/heads/master

[credential]

        helper = store
```

其中的v28远程库对应着编译服务器，origin对应着gitlab开发服务器，这里不用。

第一个脚本01-git-push.sh 是将本地的git库push到服务器上，push的目的地v28，-f选项是强制提交，bios是v28远程库所在机器的用户kunlun的口令

###01-git-push.sh

#!/usr/bin/expect

spawn git push v28 master -f

expect "password"

send "bios\r"

expect eof

第二个脚本02-scp-from-18.sh 是将v28服务器上的bmcweb_git.bb复制到本地bmcweb目录下

###02-scp-from-18.sh

#!/usr/bin/expect

spawn scp kunlun@192.168.x.18:/home/kunlun/rxsunSource/openbmc-v28/meta-phosphor/recipes-phosphor/interfaces/bmcweb_git.bb .

expect "password"

send "bios\r"

expect eof

第三个脚本03-sed-commitId.sh 是将bmcweb_git.bb中commit号替换为最新的commit号，因为sed不能保存，所以重定向到临时文件再重命名

###03-sed-commitId.sh

#!/bin/bash

newCommitId=`git rev-parse HEAD`

originCommitId=`cat bmcweb_git.bb | grep SRCREV | gawk -F= '{ print $2}' | sed 's/"//g'`

echo change $originCommitId to  $newCommitId

sed  "s/$originCommitId/$newCommitId/g"  bmcweb_git.bb > bmcweb_git.bb.tmp

mv bmcweb_git.bb.tmp bmcweb_git.bb

第四个脚本04-scp-to-18.sh 是将改后的bmcweb_git.bb拷贝到远程服务器上，可以覆盖目的地的同名文件

###04-scp-to-18.sh

#!/usr/bin/expect

spawn scp   bmcweb_git.bb  kunlun@192.168.x.18:/home/kunlun/rxsunSource/openbmc-v28/meta-phosphor/recipes-phosphor/interfaces/

expect "password"

send "bios\r"

expect eof

将以上四个脚本的执行命令写到一个文件里，命名为a.sh ，记得执行chmod +x a.sh

./01-git-push.sh && ./02-scp-from-18.sh && ./03-sed-commitId.sh && ./04-scp-to-18.sh

执行时只要./a.sh就可以完成以前的很多步操作。

使用注意事项：

1.配置本地的.git/config文件，添加编译服务器的目录为远程库;

2.将01-git-push.sh中的“spawn git push v28 master -f”的“v28”改自己的远程库名称;

3.在02-scp-from-18.sh、03-sed-commitId.sh和04-scp-to-18.sh中bb文件的位置和名称，要替换成自己工作文件的位置和名称;

4.将所有send后面的bios替换为自己远程库用户的口令;

5.我的有些服务器可接受客户端公钥文件内容到authorized_keys中，免口令scp，也可以先自己服务器上尝试一下；

6.本地机器上需要有expect包，用apt-get install expect安装。

为bmc在0.6上开一个用户:

useradd -d /home/bmc -s /sbin/nologin bmc
usermod -g ftpuser bmc
以及 zkxiao jdzhang htliu

vi /etc/vsftpd/vsftpd.conf
主要参数:
chroot_local_user=YES —只能访问自己的目录
chroot_list_enable=YES 可以跃出自己的目录
chroot_list_file=/etc/vsftpd/chroot_list (但是chroot_list 的内容为空)
userlist_enable=YES —-写每个用户的固有目录
user_config_dir=/etc/vsftpd/userconfig
在userconfig目录下 vim zhaoxin 写一行 local_root=/home/zhaoxin
同样vim bmc 写一行 local_root=/home/bmc

systemctl restart vsftpd

以下是为了改为默认的被动模式:
vi /etc/vsftpd/vsftpd.conf
pasv_enable=YES
pasv_min_port=10060
pasv_max_port=10090
再开放端口
[root@kunlunweb userconfig]# firewall-cmd –permanent –zone=public –add-port=10060-10090/tcp
success
[root@kunlunweb userconfig]# firewall-cmd –reload
success

openbmc的新版webui有
升级openssl、如何自己创建证书、配置证书到服务器和自建CA。

验证版本

kunlun@kunlunsec:$ mkdir certificate_bmc
kunlun@kunlunsec:$ cd certificate_bmc/
kunlun@kunlunsec:~/certificate_bmc$ openssl version -a
OpenSSL 1.1.0h 27 Mar 2018 (Library: OpenSSL 1.1.1c 28 May 2019)
built on: Fri May 31 12:25:41 2019 UTC
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,–noexecstack -Wall -Wa,–noexecstack -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: “/usr/lib/ssl”
ENGINESDIR: “/usr/lib/x86_64-linux-gnu/engines-1.1”

要求版本大于1.0.1g，本机是OpenSSL 1.1.1c

生成私钥

使用命名openssl genrsa -des3 -out private.key 2048
其中-des3代表加上了加密，后面的2048是代表生成的密钥的位数
kunlun@kunlunsec:~/certificate_bmc$ openssl genrsa -des3 -out private.key 2048
Generating RSA private key, 2048 bit long modulus
……+++++
……………+++++
e is 65537 (0x010001)
Enter pass phrase for private.key:
Verifying - Enter pass phrase for private.key:
这里的口令随意输入，比如dddd。

kunlun@kunlunsec:~/certificate_bmc$ ll –查看文件名
-rw——- 1 kunlun kunlun 1751 8月 30 15:32 private.key

可见，private.key是个私钥文件。

生成证书请求

kunlun@kunlunsec:~/certificate_bmc$ openssl req -new -key private.key -out server.cs
Enter pass phrase for private.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:192.168.200.40
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

只有第一个输入口令“dddd”，以及Common Name输入了服务器地址，其它都回车了。

kunlun@kunlunsec:~/certificate_bmc$ ll
-rw——- 1 kunlun kunlun 1751 8月 30 15:32 private.key
-rw-rw-r– 1 kunlun kunlun 993 8月 30 15:43 server.csr

可见，server.csr是个请求文件。

生成服务器的私钥

kunlun@kunlunsec:/certificate_bmc$ openssl rsa -in private.key -out server.key
Enter pass phrase for private.key:
writing RSA key
口令还是“dddd”
kunlun@kunlunsec:/certificate_bmc$ ll
-rw——- 1 kunlun kunlun 1751 8月 30 15:32 private.key
-rw-rw-r– 1 kunlun kunlun 993 8月 30 15:43 server.csr
-rw——- 1 kunlun kunlun 1679 8月 30 15:46 server.key

可见，server.key 是个服务器的私钥文件。

使用私钥为证书请求签名，生成给服务器签署的证书，格式是x509的PEM格式

kunlun@kunlunsec:/certificate_bmc$ openssl x509 -req -in server.csr -out server.crt -outform pem -signkey server.key -days 3650
Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = 192.168.200.40
Getting Private key
kunlun@kunlunsec:/certificate_bmc$ ll
-rw——- 1 kunlun kunlun 1751 8月 30 15:32 private.key
-rw-rw-r– 1 kunlun kunlun 1176 8月 30 15:49 server.crt
-rw-rw-r– 1 kunlun kunlun 993 8月 30 15:43 server.csr
-rw——- 1 kunlun kunlun 1679 8月 30 15:46 server.key

可见，server.crt是给服务器的签过名的证书文件

将这些文件移动到目录新创建的privateKey中。

因为bmcserver只认可pem证书，而且要用CA证书进行签名，而不是用自己的私钥为证书请求签名，上面生成的server.crt不能用户bmcserver，能用于普通的http等服务器。

下面使用CA.pl创建CA根证书

查找openssl.cnf文件

kunlun@kunlunsec:/certificate_bmc$ ll /usr/lib/ssl/
总用量 20
drwxr-xr-x 3 root root 4096 10月 18 2018 ./
drwxr-xr-x 174 root root 12288 8月 8 14:43 ../
lrwxrwxrwx 1 root root 14 3月 17 2017 certs -> /etc/ssl/certs/
drwxr-xr-x 2 root root 4096 10月 18 2018 misc/
lrwxrwxrwx 1 root root 20 5月 12 2018 openssl.cnf -> /etc/ssl/openssl.cnf
lrwxrwxrwx 1 root root 16 3月 17 2017 private -> /etc/ssl/private/
kunlun@kunlunsec:/certificate_bmc$ vim /usr/lib/ssl/openssl.cnf
核实default_bits=2048

创建私钥和证书

执行./CA.pl -newca命令
CA.pl会使用/usr/lib/ssl/openssl.cnf中的配置来创建私钥和证书。
创建CA证书过程中，不输入信息，直接回车，填写加密私钥的密码和生成CA证书的相关信息。
创建完之后会生成demoCA目录，查看

kunlun@kunlunsec:~/certificate_bmc$ ./CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate …

openssl req -new -keyout ./demoCA/private/cakey.pem -out ./demoCA/careq.pem
Generating a 2048 bit RSA private key
……………………………………………………………………………….+++++
…………+++++
writing new private key to ‘./demoCA/private/cakey.pem’
Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [AU]:CHINA
string is too long, it needs to be no more than 2 bytes long
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:BEIJING
Locality Name (eg, city) []:BEIJING
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ZDKJ
Organizational Unit Name (eg, section) []:BIOS
Common Name (e.g. server FQDN or YOUR name) []:192.168.200.40
Email Address []:sunleaf2002@126.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:dddd
An optional company name []:zdkj

==> 0

====
openssl ca -create_serial -out ./demoCA/cacert.pem -days 1095 -batch -keyfile ./demoCA/private/cakey.pem -selfsign -extensions v3_ca -infiles ./demoCA/careq.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Can’t open ./demoCA/index.txt.attr for reading, No such file or directory
139984384927488:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen(‘./demoCA/index.txt.attr’,’r’)
139984384927488:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
8b:a7:7b:6f:f9:07:db:81
Validity
Not Before: Aug 30 08:47:46 2019 GMT
Not After : Aug 29 08:47:46 2022 GMT
Subject:
countryName = CH
stateOrProvinceName = BEIJING
organizationName = ZDKJ
organizationalUnitName = BIOS
commonName = 192.168.200.40
emailAddress = sunleaf2002@126.com
X509v3 extensions:
X509v3 Subject Key Identifier:
9B:8F:B3:47:98:55:F8:42:3F:82:F3:C4:EF:55:19:E3:37:D2:AE:85
X509v3 Authority Key Identifier:
keyid:9B:8F:B3:47:98:55:F8:42:3F:82:F3:C4:EF:55:19:E3:37:D2:AE:85
X509v3 Basic Constraints: critical
CA:TRUE
Certificate is to be certified until Aug 29 08:47:46 2022 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

==> 0

CA certificate is in ./demoCA/cacert.pem

输入口令的地方都是“dddd”。

kunlun@kunlunsec:/certificate_bmc$ sudo openssl genrsa -des3 -out private.key 2048
Generating RSA private key, 2048 bit long modulus
………………….+++++
…………………………………………………………………+++++
e is 65537 (0x010001)
Enter pass phrase for private.key:
Verifying - Enter pass phrase for private.key:
kunlun@kunlunsec:/certificate_bmc$ sudo openssl req -new -key private.key -out server.csr
Enter pass phrase for private.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:BEIJING
Locality Name (eg, city) []:BEIJING
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ZDKJ
Organizational Unit Name (eg, section) []:BIOS
Common Name (e.g. server FQDN or YOUR name) []:192.168.200.40
Email Address []:sunleaf2002@126.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:dddd
An optional company name []:zdkj

kunlun@kunlunsec:/certificate_bmc$ sudo openssl rsa -in private.key -out server.key
Enter pass phrase for private.key:
writing RSA key
kunlun@kunlunsec:/certificate_bmc$ cp server.csr newreq.pem
kunlun@kunlunsec:~/certificate_bmc$ ll
总用量 40
drwxrwxr-x 4 kunlun kunlun 4096 8月 30 16:51 ./
drwxr-xr-x 54 kunlun kunlun 4096 8月 30 15:28 ../
-rwxrwxrwx 1 kunlun kunlun 6754 8月 30 16:00 CA.pl*
drwxrwxr-x 6 kunlun kunlun 4096 8月 30 16:47 demoCA/
-rw-r–r– 1 kunlun kunlun 1110 8月 30 16:51 newreq.pem
-rw——- 1 root root 1751 8月 30 16:50 private.key
drwxrwxr-x 2 kunlun kunlun 4096 8月 30 16:35 privateKey/
-rw-r–r– 1 root root 1110 8月 30 16:50 server.csr
-rw——- 1 root root 1679 8月 30 16:51 server.key

kunlun@kunlunsec:~/certificate_bmc$ ./CA.pl -sign

openssl ca -policy policy_anything -out newcert.pem -infiles newreq.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
8b:a7:7b:6f:f9:07:db:82
Validity
Not Before: Aug 30 08:51:43 2019 GMT
Not After : Aug 29 08:51:43 2020 GMT
Subject:
countryName = CH
stateOrProvinceName = BEIJING
localityName = BEIJING
organizationName = ZDKJ
organizationalUnitName = BIOS
commonName = 192.168.200.40
emailAddress = sunleaf2002@126.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B6:25:F8:1C:62:AC:23:0B:67:C2:E7:56:88:D4:1E:0D:BF:AE:F4:58
X509v3 Authority Key Identifier:
keyid:9B:8F:B3:47:98:55:F8:42:3F:82:F3:C4:EF:55:19:E3:37:D2:AE:85

Certificate is to be certified until Aug 29 08:51:43 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

==> 0

Signed certificate is in newcert.pem
kunlun@kunlunsec:~/certificate_bmc$ ll
-rwxrwxrwx 1 kunlun kunlun 6754 8月 30 16:00 CA.pl*
drwxrwxr-x 6 kunlun kunlun 4096 8月 30 16:52 demoCA/
-rw-rw-r– 1 kunlun kunlun 4669 8月 30 16:52 newcert.pem
-rw-r–r– 1 kunlun kunlun 1110 8月 30 16:51 newreq.pem
-rw——- 1 root root 1751 8月 30 16:50 private.key
drwxrwxr-x 2 kunlun kunlun 4096 8月 30 16:35 privateKey/
-rw-r–r– 1 root root 1110 8月 30 16:50 server.csr
-rw——- 1 root root 1679 8月 30 16:51 server.key

以上参考了
https://blog.csdn.net/pz0605/article/details/51954876

服务器192.×.×.84，客户端192.×.×.86

在84机器上

安装nbd-server
sudo apt install nbd-server

创建一个300MB的文件当做块设备
/home/kunlun/rxsunSource/tmp下执行
dd if=/dev/zero of=nbd-disk0 bs=104857600 count=3

编译老版本同方代码:

1.注意要替换为meta-haiguang2的环境变量

export TEMPLATECONF=meta-haiguang/meta-haiguang2/conf/

2.报错

pflash的库就是skiboot库 是skiboot中的一部分
WARNING: pflash-v6.1-r0 do_fetch: Failed to fetch URL git://github.com/open-power/skiboot.git;nobranch=1, attempting MIRRORS if available
ERROR: pflash-v6.1-r0 do_fetch: Fetcher failure: Unable to find revision bb7ae1ade9e06a854771b8ed1e26f7d58b508e84 in branch master even from upstream
ERROR: pflash-v6.1-r0 do_fetch: Fetcher failure for URL: ‘git://github.com/open-power/skiboot.git;nobranch=1’. Unable to fetch URL from any source.
ERROR: pflash-v6.1-r0 do_fetch: Function failed: base_do_fetch
ERROR: Logfile of failure stored in: /home/kunlun/rxsunSource/openbmc-origin/build/tmp/work/armv6-openbmc-linux-gnueabi/pflash/v6.1-r0/temp/log.do_fetch.65823
ERROR: Task (/home/kunlun/rxsunSource/openbmc-origin/meta-openpower/recipes-bsp/skiboot/pflash.bb:do_fetch) failed with exit code ‘1’
一直报错 核实各文件内容的一致性没有问题

一.环境:

1.gitlab代码库是中心代码服务器
2.编译服务器bmcCompileBak的openbmc/build/downloads/git2目录下是裸库
3.编译服务器bmcCompileBak的gitSource目录下是源代码,源代码库里的每一个.git/config文件中都有两个remote push地址,一个是缺省的master,指向中心代码库,另一个是手工增加的,命名为local,指向openbmc/build/downloads/git2里对应的裸库地址

二.思路

1.开发机器,例如kunlunsec上的改动能通过192.168.120.200中心代码服务器同步到编译服务器bmcCompileBak上的源代码库里
2.编译服务器bmcCompileBak上同步后的源代码库能推送(git push)到编译服务器bmcCompileBak下的/home/kunlun/rxsunSource/openbmc/build/downloads/git2

redhat7 自带git

生成公钥并放到git服务器上
ssh-keygen
cat ~/.ssh/id_rsa.pub 拷贝到gitlab服务器的用户ssh key下

克隆openbmc构建所用的库
mkdir ~/rxsunSource
cd rxsunSource
git clone git@192.168.*.200:openbmc/openbmc.git
cd openbmc

准备构建,报缺少python3的错,根据错误提示,总结出需要提前安装以下支撑软件

改ip地址:192.168.0.18
用cat /etc/sysconfig/network-scripts/ifcfg-em1 查看修改结果
在工作机器上 ssh root@192.168.0.18
root@192.168.0.18‘s password:
[root@localhost ~]#passwd 改root口令
[root@localhost ~]# hostnamectl status –查看机器名

 Static hostname: localhost.localdomain
       Icon name: computer-server
         Chassis: server
      Machine ID: *****************
         Boot ID: *****************
Operating System: Red Hat Enterprise Linux Server 7.5 (Maipo)
     CPE OS Name: cpe:/o:redhat:enterprise_linux:7.5:GA:server
          Kernel: Linux 3.10.0-862.el7.x86_64
    Architecture: x86-64

昨天看到80.82机器上的运行redmine服务器的虚拟机rxsunweb的空间不够,原来创建的时候只有30G,太小.
依次执行以下步骤进行扩容.

1.先关闭虚拟机
2.为了确保虚拟机的安全,另存一份进行操作.
拷贝rxsunweb虚拟机 从C:\Users\Administrator\VirtualBox VMs\rxsunweb到D:\virtualBox_redmine\rxsunweb
3.到虚拟机窗口的设置-存储-控制器菜单中添加一个磁盘文件 100G ，文件名为
D:\virtualBox_redmine\rxsunweb\redmine_disk_2.vdi，
原来的D:\virtualBox_redmine\rxsunweb\rxsunweb-disk2.vmdk 只有30G左右
4.启动虚拟机，进去看df –h