Dell PowerEdge T20

i’ve bought 2x Dell PowerEdge t20 – they’ll serve as HA pair of routers/vpn endpoints/file servers for a new office.

it was the first time i played with intel amt. it’s not bad but neither perfect.

AMT

PowerEdge T20 with Xeon processors has AMT 9.0; getting it working took a while. first i had to activate it; to enter the MBEx setup i pressed ctrl+p just after computer start – when dell logo is displayed. there i was asked for a password; i did not find one in dell’s public documentation so i’ve spent a while with their support on the phone; the default pass is: admin and it has to be changed to something that is: at least 8 letters long, contains at least 1 small letter, at least 1 capital letter, at least one number and at least one special char. once MBEx [ Intel Management Engine BIOS Extension] password is configured, in the same ctrl+p bios configuration i was able to:

  • activate kvm giving me remote access to the computer’s console using vnc over network
  • activate IDE redirection [manageability commander tool>remote control>take control]
  • disable user’s consent needed to interact with the computer [it’s a server, it’ll not have kbd/display]
  • configure network settings. it’s a pitty that tagged vlans are not supported [ at least not from ctrl+p bios. it seems that the manageability commander tool mes editor in the networking>advanced settings allows configuration of vlans ]
  • activate network access [there’s separate option for that in the main menu]

note that ctrl+p menu cannot be accessed via kvm/vnc over the network. one has to enter and manipulate it from the keyboard and monitor directly attached to the server.

the next step is to download AMT tools for windows – i’ve used intel’s Manageability Developer Tool Kit 7 and open manageability. then run Manageability Commander Tool ME, add known computer – provide the IP of the AMT set in the earlier step, select connect, then in the remote control tab, remote desktop, remote desktop settings select as follows:

amt-remoteDesktop

note that the password has to have exactly 8 chars, at least 1 capital letter, at least 1 small letter, at least 1 special character and 1 at least digit. once that’s done you can use tightvnc viewer [ version 1.3 will work, 2.7 – does not work.. go figure; also one of the readers suggested that the compression level should be set to “Tight” in the vincviewer settings ]. power control is possible via the web UI of amt – http://10.1.2.3:16992/logon.htm

all in all – not very straightforward but better than nothing; this server with amt costs a little bit more than just a DRAC card for more expensive PowerEdge servers.

it seems that AMT cannot handle higher resolution text consoles. i had to modify /etc/default/grub and put there: GRUB_CMDLINE_LINUX_DEFAULT=”quiet nomodeset” to be able to connect via vnc to the debian jessie’s console at any time.

network card

T20 comes with Intel’s I217-LM lan card; debian wheezy – with 3.4 kernel – does not have support for that card. i’ve installed 3.13 kernel from backports and then the card became available from linux. AMT worked fine also with 3.4 kernels – it’s independent from the OS.

the rest

yet another note: after upgrading to 3.14 kernel VNC via AMT stopped working for working linux. i could see the bios screen and grub but not the login prompt. it has something to do with the frame buffer display mode used for the console. workaround: in /etc/default/grub add: GRUB_CMDLINE_LINUX=”nofb nomodeset vga=normal” and run update-grub2 + reboot. console will be in low resolution text mode.

the server came with 1TB ST1000DM003-1CH162 disk that has quite aggressive power saving – the drive spins down after few minutes of inactivity. i have plenty of cron jobs started every few minutes so in regular use the drive will not be parked, but just from few hours of work with the setup i got few hundreds of starts/stops:

#smartctl  -d sat -a /dev/sdb|grep Load
193 Load_Cycle_Count        0x0032   100   100   000    Old_age   Always       -       303

helpful resources:

2015-09 update

i’ve discovered that [ at least for the bios version A06 ] in T20 AMT activated have a nasty side effect – all TCP traffic coming to the on-board NIC on port 5900 is silently dropped. it does not reach Linux’s kernel. i suspect that there’s some bug in the management firmware handling VNC connections for the virtual KVM. so – in case of a router that i use – i had to move all of the production traffic to the add-on network card.

2017-05 update

dell t20 with amt enabled is most likely vulnerable to INTEL-SA-00075 as discussed here, here. it’s better to have it completely disabled. and update bios … once / if dell releases it.

3 Comments

  1. Pingback: Dell PowerEdge T20 with Xeon E3-1225v3 CPU

  2. “AMT activated have a nasty side effect – all TCP traffic coming to the on-board NIC on port 5900 is silently dropped. it does not reach Linux’s kernel. i suspect that there’s some bug in the management firmware handling VNC connections for the virtual KVM”

    As per https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/WordDocuments/workingwithport5900.htm the “side effect” and “bug” seems to be considered a feature: “If the console also uses a software KVM solution, enabling port 5900 for Intel AMT will block traffic to the software server if it also uses port 5900.”

    In general the separation between the IPs for AMT and OS(s) seems to be incomplete (promised from AMT 6.1 according to https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/WordDocuments/accessingintelamtviathewebuiinterface.htm) on the T20 A06 at least – for instance one cannot http to port 16992 of the AMT IP from within an OS running on the same hardware – an additional computer is required.

    BTW confusion abounds as to which is the most current and appropriate tool for switching to port 5900 in the first place: http://www.hardwareluxx.de/community/f101/dell-poweredge-t20-1031138-168.html#post25025764 – only the “Mesh Edition” flavors seem to connect at all.

    • thanks a lot for a very insightful comment!

      i’ve accepted the blocked port 5900 as a fact of life and continue to use the on-board interface for management only. any production traffic goes via add-on pcie ethernet card.

Leave a Reply

Your email address will not be published. Required fields are marked *

 

(Spamcheck Enabled)