HPE Synergy
1839166 Members
2944 Online
110136 Solutions
New Discussion

Re: OneView SSO to ILO scripting with Python

 
Mitch Brown_1
Advisor

OneView SSO to ILO scripting with Python

I'm working on OS deployment scripting with Synergy, OneView, and ILO on SY480 Gen10 servers.  I'm using Python3.

Versions:

  • Python - 3.6.8
  • OneView Python SDK 4.8.0
  • ILO Rest Python SDK 2.5.2
  • OneView Appliance Version 5.00.00.01-0402787
  • Synergy Support Pack 2019.09.26

Its been a bit of a rough go, but I've finally gotten a pretty good handle on the Python OneView SDK.  My current frustration is the lack of clear documentation in some cases and broken examples, especially (currently) in the ILOrest Python SDK.  It just doesn't work right.  Even if it did, I'm totally at a loss as to how to leverage the ILO SSO URI that I get back from the OneView SDK to establish a REST session.  The Power Of Single Sign On With HPE OneView seems to have this as the key concept, but it really doesn't tell you how to get from the SSO URI to a working session, and certainly not with the Python SDK - the Python stuff seems to only support Clear Text username and password (yikes).  I've read forums and even tried to do this through the curl testing methods described in the ILO Rest API but I can't get a session established.

I'd really appreciate it if someone could show me, particularly in python, how to go from the OneView SDK:

from hpOneView.oneview_client import OneViewClient
ovConfig={
    "ip" : "172.25.1.10",
    "api_version" : "1000",
    "credentials" : {
        "userName" : "Administrator",
        "password" : "YourPassword",
        "authLoginDomain" : ""
    }
}
ovClient=OneViewClient(ovConfig)
profile = ovClient.server_profiles.get_by_name("Demo-1")
hw = ovClient.server_hardware.get(profile['serverHardwareUri'])
sso = ovClient.server_hardware.get_ilo_sso_url(profile['serverHardwareUri'])

to a rest or redfish API session so that I can change the one-time-boot setting to pxe or UEFI HTTPS-boot.

Regards,

Mitch
10 REPLIES 10
ChrisLynch
HPE Pro

Re: OneView SSO to ILO scripting with Python

We have published sample code here, of which one of them is based on Python.  The sample code scripts get an SSO key from a connected OneView appliance, and the other will initiate virtual media mount calls.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
Mitch Brown_1
Advisor

Re: OneView SSO to ILO scripting with Python

Chris,

I'm sorry, i already wasted many hours on this link.  That's not an example.  If I were in math class, I'd be the teacher saying "show your work".

In the ILO SSL that is returned, there is a Token TKN= and a ssosession - it looks like (after a ton of experimentation) that the ssosession ID is actually the one that is needed, but i'm not sure, since the examples linked don't actually show how to use the token/sessionID with the python SDK libraries - the only mechanism documented there is URL + user/pass.

I have similarly spent about 3 days on this already - the python redfish/rest API SDK (from which the example scripts come) are completely broken at the moment.  They DO NOT WORK as documented.  That's why I'm asking for someone to show me a complete example, using the current SDKs.

take for example the quickstart.py and quickstart_redfish.py in the python SDK - you use either one, after updating the credential variables and only the redfish one works.  So, you go down into the examples folder, and go to the redfish version of ex08 - the one that is supposed to do the one-time-boot manipulation...and it's broken.  Does not work, has import errors.  I spent yesterday afternoon trying to modify it based on the working parts of quickstart_redfish.py but got nowhere - it relies on functions under the rest object that don't exist in the redfish object, and after walking the data model and hardcoding in the rest just to find the baselines, I still got nowhere - and that's after giving up on the SSO method and reverting to user/pass.

So, I downloaded the ILOREST tool.  Well.  That was a bit of a joke.  I'm a debian guy.   On the ILOREST web page it has a download link from the support site...that has Windows and Centos/Redhat based distribution.  So, I cloned the github and followed the instructions to build and install it.  It's broken.  Can't build successfully, lots of errors. Looks like path referencing in the build defs are broken as it can't find required files at paths that are corrupted.  It "might" work if I moved the git path to just under root, but i'm not trying that.  After wasting more hours on that, I stumbled on the fact that the good old SDR - linux software download repository has the ilorest tool built and I was able to get it properly installed that way.  It's oddly very slow, and I can't figure out why...but it does work.

I would HATE to be a customer at the moment, this is so frustrating and it's taken me weeks of guesswork and iterative experimentation to get anywhere.  My preference is to just get all this working with the redfish or rest APIs but the docs are just plain horrific.

I'm happy to work with you or anyone else, but right now I'm connected to Satya Reddy on some of this but I think he's out of India and it basically takes 24 hours to get a response that way.  It seems like nobody's actually tested any of  this from the perspective of a user who hasn't done this before - i'm competent with Python, but I had to literally read the python code for the OneView API to realize that it's mainly a wrapper around the rest API and even though the SDK doesn't say so, you can find most of the passed dict() arguments are really just rest API options.  But then sometimes not.  This doesn't seem to be the case with the ILO rest/redfish SDK.  That just doesn't work.  I can get items and I manged to munge my way down to retrieving the location of the Boot.BootSourceOverrideTarget field but then when trying to call the REDFISH_OBJ.patch I get errors I have no idea what to do with:

 

path='/redfish/v1/systems/1/settings')
body=dict()
body['Boot']=dict()
body['Boot']['BootSourceOverrideTarget']='Pxe'
REDFISH_OBJ.patch(path,body)

 

...i'm getting a 'multiple values for "method" found' error.

I've been working on doing a python, multithreaded demo for synergy server deployment.  It has taken FAR longer than it should have because most of the issues have been lack of documentation or out-of-date revisions in the SDKs. I've made a ton of progress but it literally took me two weeks to get to the point of scriptwise deploying ESXI to 3 servers simultaneously.  If a customer was doing this, they'd be screaming.

I'm at the MASE conference this week if you are there and want to connect look me up on the attendee app.

Regards,

Mitch
ChrisLynch
HPE Pro

Re: OneView SSO to ILO scripting with Python

The samples I linked you to is working code on how to generate the iLO SSO token from OneView.  The get_ssosessionobject.py  script on line 41 shows you exactly how the SSO token is extracted from the return generate from the OneView REST API.  Then in the other Pyton scripts, you will find the RedFishObject class defined, which accepts the generated token.

And have you reviewed the iLO REST API/Redfish API docs here?

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
Mitch Brown_1
Advisor

Re: OneView SSO to ILO scripting with Python

Chris,

In my OP i showed that I already got the SSO URL.

I then went on to document just how inclomplete the links you referenced are, especially when the SDKs don't work.  

I'm fairly confident that should I go with the rest API itself I could figure this out, but then what's the point of having the SDKs?  The whole point of the SDKs are to simplify the use of the Rest/Redfish APIs and since they are so broken right now, and I challenge you to find a single piece of documented code that takes the SSO URL from OneView and pass it to the ILO Rest or Redfish Python SDK API.  I've been looking for hours and what you linked is NOT it.  It basically just says "you can take this and log in" but doesn't tell you how to do that

Regards,

Mitch
Mitch Brown_1
Advisor

Re: OneView SSO to ILO scripting with Python

Ok, so I did more looking at the mount_virtualmedia.py you linked.

Interesting.  In my OP I mentioned I am looking for setting the One Time Boot override, and I am not using virtual media in this case.  I will be using either PXE or UEFIHTTPS boot.

That said, i note a couple of interesting things.  

Why on earth, in the mount_virtualmedia.py, do you[sic, not personally], completely redefine the RedFishObject?  Seems to me the answer is that the SDK doesn't contain the method you needed, so it was rewritten.   This is a remarkably obtuse way of "documenting" how ot use the SSO token.  I may be able to piece it together from this, but it's hardly clear on how to do what I need to do, especially with the examples in the SDK so broken.

Just to be clear, when I say the SDK is broken, I'm referring to the python ILO Rest API SDK - HERE  There's an example in this SDK (ex08) that purports to do EXACTLY what i'm trying to do (except for the SSO piece) and both the redfish version and the rest version are broken.

Regards,

Mitch
ChrisLynch
HPE Pro

Re: OneView SSO to ILO scripting with Python

The iLO Redfish SDK does not support SSO Tokens, which is why I linked you to the sample code and it shows the RedFishObj redefined.  The iLO Redfish SDK natively only supports user account logins, which is why you cannot find this in the iLO Redfish documentation.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
Mitch Brown_1
Advisor

Re: OneView SSO to ILO scripting with Python

Well!  We are getting closer.  That's a clear statement that I can work with.

I will work on taking the example you provided and building it out to implmenet the feature(s) I need around the two features I want to use:

  1. enabling the OneTimeBoot selection for either Pxe or UEFIHTTP/S boot
  2. Changing the HTTPS boot target.

I know I can do #2 using the OneView SDK; however, I frankly don't like it because it takes a very long time to reapply the server profile once I make the change (for some reason it takes about 9 minutes for my SY480 blades to finish POST - the majority of the time is in the UEFI "starting required drivers" phase and I don't know why).  It is not clear (as of yet) if this can be changed via the ILO API; it would be really nice if I can set it in ILO for apply on next boot, then I just have to coordinate a single boot cycle.

I can look later but do you know if there's an example in the oneview-osdeployment github resources that addresses either of these directly?

Regards,

Mitch
Mitch Brown_1
Advisor

Re: OneView SSO to ILO scripting with Python

Well.  I'm not sure If I should really mark this as solved.  Too many issues here.  Things I've learned:

  • Chris's suggestion on generating the ILO SSO token and creating a session to the rest API seems to work.
  • However, the Python Rest/Redfish SDK is severely broken in many ways.  I can not, whether I use SSO or direct login, get the api to change the one-time-boot value. 
  • The OneTimeBoot can be set via the OneView api under the server hardware object.  Unfortunately, the Python SDK only supports up to API version 1000 (current is 1200), and it seems that even API 1200 doesn't support setting the OneTimeBoot value to UEFI HTTP boot, even though you can do it through the ILO Gui.

Ultimately I gave up on this.  It might work but I have to say this is some lousy documentation.  I might get back to it later if I get some more time but for the moment I fell back to PXE.  At least it works and I can do what I need via the OneView API.

TO PRODUCT MANAGEMENT:  You really need to have more focus on these SDKs.  If you are going to publish an SDK it needs to be maintained consistently with the core product.  Since HPE claims that OneView and such are all written using the Rest/Redfish APIs, then that documentation MUST be kept accurate.  If you don't do this, HPE's message on Composable infrastructure is junk.  If it takes longer for a customer to figure out how to use and maintain the SDKs than to do things the old manual way, you aren't helping the customer with time-to-value!

  

Regards,

Mitch
ChrisLynch
HPE Pro

Re: OneView SSO to ILO scripting with Python

I'm sorry you have had challanges with getting this to work.  Do know that even though One Time Boot was added to OneView 5.00, it only supports generic targets.  UEFI Shell is not a generic target.

As for your experience with the iLO Redfish Python SDK, this isn't really the right forum to express your issues, nor get help with them.  The GitHub issues tracker is.  And I would ask that you create an issue there asking for assistance with reviewing your script you're trying to use.  I'll certainly forward this on to the folks that maintain it.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
Erik_Go
New Member

Re: OneView SSO to ILO scripting with Python

I'm facing the same challenge and I decided to take a three way approach:

1. At the end of my preparation script I'm adding a temporary local admin account to the ILO using the OneView SDK.

2. I'm using the Redfish SDK and the admin account from step 1  to adjust ILO settings

3. I will delete the temporay admin account using the OneView SDK

 

Kind Regards,

Erik