Fabric: add support for PCIe Switch Port URI

This patch enable support for following properties for Port of a PCIe
Switch. [1]
- PortProtocol
- PortType
- CurrentSpeedGbps
- ActiveWidth

One of the

Fabric: add support for PCIe Switch Port URI

This patch enable support for following properties for Port of a PCIe
Switch. [1]
- PortProtocol
- PortType
- CurrentSpeedGbps
- ActiveWidth

One of the devices that gets enabled with this patch is Nvidia ConnectX
devices, which are network cards featuring an integrated PCIe switch.
These devices combine both PCIe ports and network ports in a single
unit. Since such devices don't strictly qualify as Fabric Adapters, the
Switch URI is used instead of the FabricAdapter URI.

Port schema only allows certain URIs as Port URI. URI
/redfish/v1/Fabrics/{FabricId}/Switches/{SwitchId}/Ports/{PortId} seems
most appropriate choice for PCIe Switch Port. [1]

The Fabric resource is modeled similarly to the System resource, meaning
that only one Fabric resource will exist for each BMC. Route handler for
collections and each individual components are added in this patch for
each URI resource under /redfish/v1/Fabrics.

DBus Interface "xyz.openbmc_project.Inventory.Item.PCIeSwitch" is used
to identify the Switch resources. Association between Switch and Port is
`connecting` and `connected_to`.

Feature like Port Metrics properties (for PCIe Error Counters) can be
added in future at Port Metric URI.

dbus-sensors patches -
https://gerrit.openbmc.org/c/openbmc/dbus-sensors/+/84079
https://gerrit.openbmc.org/c/openbmc/dbus-sensors/+/83202

Tested: Build an image for nvl32-obmc machine with the following patch
cherry picked.

https://gerrit.openbmc.org/c/openbmc/dbus-sensors/+/84079
https://gerrit.openbmc.org/c/openbmc/openbmc/+/85490

The openbmc patch cherry-picks the following patches that are currently
under review.

```
1. device tree
https://lore.kernel.org/all/aRbLqH8pLWCQryhu@molberding.nvidia.com/
2. mctpd patches
https://github.com/CodeConstruct/mctp/pull/85
3. u-boot changes
https://lore.kernel.org/openbmc/20251121-msx4-v1-0-fc0118b666c1@nvidia.com/T/#t
4. kernel changes as specified in the openbmc patch (for espi)
5. entity-manager changes
https://gerrit.openbmc.org/c/openbmc/entity-manager/+/85455
6. platform-init changes
https://gerrit.openbmc.org/c/openbmc/platform-init/+/85456
7. spi changes
https://lore.kernel.org/all/20251121-w25q01jv_fixup-v1-1-3d175050db73@nvidia.com/
```

redfish service validator is passing.

```
$ curl -k -u 'root:0penBmc' https://${bmc_ip}/redfish/v1/Fabrics/
{
"@odata.id": "/redfish/v1/Fabrics",
"@odata.type": "#FabricCollection.FabricCollection",
"Members": [
{
"@odata.id": "/redfish/v1/Fabrics/fabric"
}
],
"Members@odata.count": 1,
"Name": "Fabric Collection"
}%

$ curl -k -u 'root:0penBmc' https://${bmc_ip}/redfish/v1/Fabrics/fabric/
{
"@odata.id": "/redfish/v1/Fabrics/fabric",
"@odata.type": "#Fabric.v1_2_0.Fabric",
"Id": "fabric",
"Name": "fabric Fabric",
"Switches": {
"@odata.id": "/redfish/v1/Fabrics/fabric/Switches"
}
}%

$ curl -k -u 'root:0penBmc' https://${bmc_ip}/redfish/v1/Fabrics/fabric/Switches/
{
"@odata.id": "/redfish/v1/Fabrics/fabric/Switches",
"@odata.type": "#SwitchCollection.SwitchCollection",
"Members": [
{
"@odata.id": "/redfish/v1/Fabrics/fabric/Switches/Nvidia_ConnectX_0"
},
{
"@odata.id": "/redfish/v1/Fabrics/fabric/Switches/Nvidia_ConnectX_1"
},
{
"@odata.id": "/redfish/v1/Fabrics/fabric/Switches/Nvidia_ConnectX_2"
},
{
"@odata.id": "/redfish/v1/Fabrics/fabric/Switches/Nvidia_ConnectX_3"
}
],
"Members@odata.count": 4,
"Name": "fabric Switch Collection"
}%

$ curl -k -u 'root:0penBmc' https://${bmc_ip}/redfish/v1/Fabrics/fabric/Switches/Nvidia_ConnectX_0
{
"@odata.id": "/redfish/v1/Fabrics/fabric/Switches/Nvidia_ConnectX_0",
"@odata.type": "#Switch.v1_7_0.Switch",
"Id": "Nvidia_ConnectX_0",
"Name": "Nvidia_ConnectX_0",
"Ports": {
"@odata.id": "/redfish/v1/Fabrics/fabric/Switches/Nvidia_ConnectX_0/Ports"
},
"Status": {
"Health": "OK",
"State": "Enabled"
}
}%

$ curl -k -u 'root:0penBmc' https://${bmc_ip}/redfish/v1/Fabrics/fabric/Switches/Nvidia_ConnectX_0/Ports/
{
"@odata.id": "/redfish/v1/Fabrics/fabric/Switches/Nvidia_ConnectX_0/Ports",
"@odata.type": "#PortCollection.PortCollection",
"Members": [
{
"@odata.id": "/redfish/v1/Fabrics/fabric/Switches/Nvidia_ConnectX_0/Ports/DOWN_0"
},
{
"@odata.id": "/redfish/v1/Fabrics/fabric/Switches/Nvidia_ConnectX_0/Ports/DOWN_1"
},
{
"@odata.id": "/redfish/v1/Fabrics/fabric/Switches/Nvidia_ConnectX_0/Ports/UP_0"
}
],
"Members@odata.count": 3,
"Name": "Nvidia_ConnectX_0 Port Collection"
}%

$ curl -k -u 'root:0penBmc' https://${bmc_ip}/redfish/v1/Fabrics/fabric/Switches/Nvidia_ConnectX_0/Ports/UP_0/
{
"@odata.id": "/redfish/v1/Fabrics/fabric/Switches/Nvidia_ConnectX_0/Ports/UP_0",
"@odata.type": "#Port.v1_4_0.Port",
"ActiveWidth": 8,
"CurrentSpeedGbps": 32.0,
"Id": "UP_0",
"Metrics": {
"@odata.id": "/redfish/v1/Fabrics/fabric/Switches/Nvidia_ConnectX_0/Ports/UP_0/Metrics"
},
"Name": "Nvidia_ConnectX_0 UP_0 Port",
"PortProtocol": "PCIe",
"PortType": "UpstreamPort",
"Status": {
"Health": "OK",
"State": "Enabled"
}
}%
```

[1]: https://redfish.dmtf.org/schemas/v1/Port_v1.xml

Change-Id: I52f4ca62b4953f6196c589e340602a0d7885d9c1
Signed-off-by: Harshit Aghera <haghera@nvidia.com>

show more ...

Enable TCP keepalives for HTTP connections

This fix enables TCP keepalives at the OS layer. It also enables a 15
minute deadline timer at the bmcweb level when waiting on an idle HTTP
keepalive conn

Enable TCP keepalives for HTTP connections

This fix enables TCP keepalives at the OS layer. It also enables a 15
minute deadline timer at the bmcweb level when waiting on an idle HTTP
keepalive connection.

Tested: romulus image running bmcweb, start connections with keepalive,
block incoming connections `iptables -P INPUT DROP`, validate that
sockets eventually die and are tracked with keepalives `ss -nto`

Change-Id: I8f5040440348c060dae1d0516ec202a0e4dc349e
Signed-off-by: Joey Berkovitz <joey@berkovitz.us>

show more ...

Add temp file and FD support to TemporaryFileHandle

This commit adds file descriptor and temporary file management to
DuplicatableFileHandle, removing the redundant test-only
TemporaryFileHandle uti

Add temp file and FD support to TemporaryFileHandle

This commit adds file descriptor and temporary file management to
DuplicatableFileHandle, removing the redundant test-only
TemporaryFileHandle utility.

Changes:
- Add file descriptor constructor and setFd() method
- Add temporary file constructor with string_view content
- Add filePath member and automatic cleanup in destructor
- Add configurable temp-dir meson option (default: /tmp/bmcweb)
- Remove include/file_test_utilities.hpp
- Update all tests to use DuplicatableFileHandle
- Rename stringPath to filePath

These features will be used by the multipart parser to stream
large uploads to temporary files instead of keeping them in memory,
and by the update service to pass file descriptors over D-Bus.

Change-Id: I982f5928d453f9f0c13d91c3525006134ddc87b3
Signed-off-by: Rajeev Ranjan <ranjan.rajeev1609@gmail.com>

show more ...

Add Journal EventLog to Manager

In order to get access to the EventLog on multi-host platforms,
add Journal EventLog to Manager.
This implementation is based on the discussion we had on
patch 76319

Add Journal EventLog to Manager

In order to get access to the EventLog on multi-host platforms,
add Journal EventLog to Manager.
This implementation is based on the discussion we had on
patch 76319 [1].

TLDR: On multi-host, we technically would have to split the event log
on a per host node basis, so that each host node has its own
specific event log.

However, this is currently not supported so we had to decide,
whether we put it on a specific ComputerSystem, or refactor the current
implementation of the EventLog, to allow for the EventLog LogService to
be part of the Managers resource.
We chose the latter one, because a), it is not clear on which
ComputerSystem to put the EventLog, as long as we aren't splitting the
event log per host node, and b), if that particular
ComputerSystem is not existing at runtime, there would be no access to
the EventLog at all.

This feature can be enabled with the redfish-eventlog-location meson
option. By default it is set to 'systems', which translates to the
EventLog being under the Systems resource.
To enable the EventLog under the Managers resource set

```
-Dredfish-eventlog-location=managers
```
This in turn, disables the EventLog under the ComputerSystem resource.

Tested: Redfish validation succeeded for both ComputerSystem and
Managers tree.

```
curl command:
curl -w "@curl-format.txt" -c cjar -b cjar -k -X GET 'https://'"${BMC}"':4443/redfish/v1/'"$ROUTE"'' \
-H 'X-Auth-Token: '"$BMCWEB_SESSION_TOKEN"''

GET /redfish/v1/Managers/bmc/LogServices
{
"@odata.id": "/redfish/v1/Managers/bmc/LogServices",
"@odata.type": "#LogServiceCollection.LogServiceCollection",
"Description": "Collection of LogServices for this Manager",
"Members": [
{
"@odata.id": "/redfish/v1/Managers/bmc/LogServices/Journal"
},
{
"@odata.id": "/redfish/v1/Managers/bmc/LogServices/EventLog"
}
],
"Members@odata.count": 2,
"Name": "Open BMC Log Services Collection"
}

GET /redfish/v1/Managers/bmc/LogServices/EventLog
{
"@odata.id": "/redfish/v1/Managers/bmc/LogServices/EventLog",
"@odata.type": "#LogService.v1_2_0.LogService",
"Actions": {
"#LogService.ClearLog": {
"target": "/redfish/v1/Managers/bmc/LogServices/EventLog/Actions/LogService.ClearLog"
}
},
"DateTime": "2025-09-24T15:22:36+00:00",
"DateTimeLocalOffset": "+00:00",
"Description": "Manager Event Log Service",
"Entries": {
"@odata.id": "/redfish/v1/Managers/bmc/LogServices/EventLog/Entries"
},
"Id": "EventLog",
"Name": "Event Log Service",
"OverWritePolicy": "WrapsWhenFull"
}

GET /redfish/v1/Managers/bmc/LogServices/EventLog/Entries
{
"@odata.id": "/redfish/v1/Managers/bmc/LogServices/EventLog/Entries",
"@odata.type": "#LogEntryCollection.LogEntryCollection",
"Description": "Collection of Manager Event Log Entries",
"Members": [
{
"@odata.id": "/redfish/v1/Managers/bmc/LogServices/EventLog/Entries/1730009576",
"@odata.type": "#LogEntry.v1_9_0.LogEntry",
"Created": "2024-10-27T06:12:56+00:00",
"EntryType": "Event",
"Id": "1730009576",
"Message": "Host system DC power is off",
"MessageArgs": [],
"MessageId": "OpenBMC.0.1.DCPowerOff",
"Name": "Manager Event Log Entry",
"Severity": "OK"
},
...
],
"Members@odata.count": 2820,
"Members@odata.nextLink": "/redfish/v1/Managers/bmc/LogServices/EventLog/Entries?$skip=1000",
"Name": "Manager Event Log Entries"
}

GET /redfish/v1/Managers/bmc/LogServices/EventLog/Entries/1730009576
{
"@odata.id": "/redfish/v1/Managers/bmc/LogServices/EventLog/Entries/1730009576",
"@odata.type": "#LogEntry.v1_9_0.LogEntry",
"Created": "2024-10-27T06:12:56+00:00",
"EntryType": "Event",
"Id": "1730009576",
"Message": "Host system DC power is off",
"MessageArgs": [],
"MessageId": "OpenBMC.0.1.DCPowerOff",
"Name": "Manager Event Log Entry",
"Severity": "OK"
}
```
ClearLog action:
Log files are being successfully deleted from /var/log

[1] https://gerrit.openbmc.org/c/openbmc/bmcweb/+/76319

Change-Id: If5b4fe10151b6bfd28a1b49c41f8cfcec1b9132c
Signed-off-by: Oliver Brewka <oliver.brewka@9elements.com>

show more ...

Remove redfish-use-3-digit-messageid

redfish-use-3-digit-messageid stated it would be removed in 2Q25, it is
now 4Q25. Searching OpenBMC doesn't show any users of this option.

This option was added

Remove redfish-use-3-digit-messageid

redfish-use-3-digit-messageid stated it would be removed in 2Q25, it is
now 4Q25. Searching OpenBMC doesn't show any users of this option.

This option was added in December 2014 and fixed a bug with us not
following the Redfish Spec.[1]

[1]: https://gerrit.openbmc.org/c/openbmc/bmcweb/+/76180

Tested: This is a pretty straightforward removal. Inspection and build
only.

Change-Id: I8a103d42184c21f75db19d44d8004f54d3fae01a
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

show more ...

Allow configuring user

Add a new option to allow configuring bmcweb to run as a 'bmcweb' user
instead of root. This option is disabled by default, and the behavior
is very broken at this point, but

Allow configuring user

Add a new option to allow configuring bmcweb to run as a 'bmcweb' user
instead of root. This option is disabled by default, and the behavior
is very broken at this point, but should serve as a starting point for
getting the issues resolved.

Tested:
Enabled option. Observed with ps, that bmcweb launched correctly, and
was running as the bmcweb user. With authentication disabled, passes
redfish service validator.

Booted without option enabled, and saw bmcweb boot and function.

Change-Id: Iac0335697020308bb632f5522b712f5eea0b2486
Signed-off-by: Ed Tanous <etanous@nvidia.com>

show more ...

Read state directory from systemd file

Reading the state dir from the systemd service file gives us
flexibility to define the bmcweb state from wherever we like, rather
than just using the current d

Read state directory from systemd file

Reading the state dir from the systemd service file gives us
flexibility to define the bmcweb state from wherever we like, rather
than just using the current directory, which might not be writable.

Tested: bmcweb boots, shows state is persisted in the same location as
previously.

Change-Id: I9c048421fe249b73b1cae2ff5204ffd357cd3123
Signed-off-by: Ed Tanous <etanous@nvidia.com>

show more ...

Systems: Restore old-style LocationIndicatorActive

The commit 2eaa927 [1] altered the D-Bus associations used for setting
and getting the LED state for the Systems resource. Machines which use
entit

Systems: Restore old-style LocationIndicatorActive

The commit 2eaa927 [1] altered the D-Bus associations used for setting
and getting the LED state for the Systems resource. Machines which use
entity-manager do not have the new association yet.

This commit is adding back the use of the old D-Bus method under a
compile option. This will be enabled by default until October 15, 2025
and completely removed by June 2026.

[1] https://gerrit.openbmc.org/c/openbmc/bmcweb/+/82078

Tested:
- Built with option enabled and confirmed logging showed old method
being used.
- Built with option disabled and confirmed logging showed new method
being used.

Change-Id: I271fc464ef512b742a8c85419668aa09d38e525d
Signed-off-by: Janet Adkins <janeta@us.ibm.com>

show more ...

merge binaries bmcweb and bmcwebd

Solution to reduce compressed rofs size.

Conclusion: The compiler is better at reducing binary size than the rofs
compression is at deduplicating sections of alrea

merge binaries bmcweb and bmcwebd

Solution to reduce compressed rofs size.

Conclusion: The compiler is better at reducing binary size than the rofs
compression is at deduplicating sections of already compiled binaries,
in the case of bmcweb.

What's been changed?

`bmcweb` and `bmcwebd` have been merged into `bmcweb`.
The webserver can be started with `bmcweb daemon`.

Commands used to check size

```
wc -c build/s8030/tmp/work/*-openbmc-linux-gnueabi/obmc-phosphor-image/1.0/obmc-phosphor-image-1.0/static/image-rofs

wc -c build/s8030/tmp/deploy/images/s8030/image-rofs

xz -c build/s8030/tmp/work/*-openbmc-linux-gnueabi/obmc-phosphor-image/1.0/rootfs/bin/bmcweb | wc -c

xz -c build/s8030/tmp/work/*-openbmc-linux-gnueabi/obmc-phosphor-image/1.0/rootfs/usr/libexec/bmcwebd | wc -c
```

Base commit used for testing:
`2169e896448fac1b59c57516b381492e4b2161c7`

Results:

Before patch:
```
image-rofs compressed size:
25526272 build/s8030/tmp/work/s8030-openbmc-linux-gnueabi/obmc-phosphor-image/1.0/obmc-phosphor-image-1.0/static/image-rofs
rootfs
25526272 build/s8030/tmp/deploy/images/s8030/image-rofs
bmcweb cli
95424
bmcwebd
1016004
```

After patch:
```
image-rofs compressed size:
25477120 build/s8030/tmp/work/s8030-openbmc-linux-gnueabi/obmc-phosphor-image/1.0/obmc-phosphor-image-1.0/static/image-rofs
rootfs
25477120 build/s8030/tmp/deploy/images/s8030/image-rofs
bmcweb cli
96
bmcwebd
1059556
```

Calculating the difference in compressed rofs

25526272 - 25477120 = 49152

which is around 0.2% in terms of the total image but around 4.6% in
terms of bmcwebd binary.

Tested: on yosemite4 qemu

`bmcweb` cli interactions work as before.

```
root@yosemite4:~# bmcweb --help
BMCWeb CLI
Usage: bmcweb [OPTIONS] SUBCOMMAND

Options:
-h,--help Print this help message and exit

Subcommands:
loglevel Set bmcweb log level
daemon Run webserver
root@yosemite4:~# bmcweb loglevel info
<6>[webserver_cli.cpp:97] logging level changed to: INFO
root@yosemite4:~# bmcweb loglevel
level is required
Run with --help for more information.
root@yosemite4:~# bmcweb loglevel debug
<6>[webserver_cli.cpp:97] logging level changed to: DEBUG
```

systemd service still working
```
root@yosemite4:~# systemctl status bmcweb
● bmcweb.service - Start bmcweb server
Loaded: loaded (/usr/lib/systemd/system/bmcweb.service; enabled; preset: enabled)
Active: active (running) since Thu 2025-04-03 13:35:45 PDT; 5 months 15 days ago
```

Change-Id: Ib5dde568ac1c12c5414294ed96404c6a69417424
Signed-off-by: Alexander Hansen <alexander.hansen@9elements.com>

show more ...

Fix runtime error when add `additional-ports` configuration

The bmcweb has runtime errors when adding `additional-ports`
configuration.

```text
Dec 19 21:25:54 board systemd[1]: sockets.target: Wan

Fix runtime error when add `additional-ports` configuration

The bmcweb has runtime errors when adding `additional-ports`
configuration.

```text
Dec 19 21:25:54 board systemd[1]: sockets.target: Wants dependency dropin /etc/systemd/system/sockets.target.wants/bmcweb_440 is not a valid unit name, ignoring.
```

and

```text
Dec 19 21:25:54 board systemd[1]: bmcweb_440.socket: Unit has no Listen setting (ListenStream=, ListenDatagram=, ListenFIFO=, ...). Refusing.
Dec 19 21:25:54 board systemd[1]: bmcweb_440.socket: Cannot add dependency job, ignoring: Unit bmcweb_440.socket has a bad unit file setting.
```

Update the code to fix that.

Change-Id: I792b9fdf29df40137fdbc7418b140e8445080961
Signed-off-by: Thu Nguyen <thu@os.amperecomputing.com>

show more ...

IndicatorLED: Add compile option for deprecated property

The IndicatorLED property has been deprecated by Redfish since September
2020. The Redfish Service Validator reports a WARNING for this prope

IndicatorLED: Add compile option for deprecated property

The IndicatorLED property has been deprecated by Redfish since September
2020. The Redfish Service Validator reports a WARNING for this property:

```
WARNING - IndicatorLED: The given property is deprecated: This property has been deprecated in favor of the `LocationIndicatorActive` property.
```

The LocationIndicatorActive property is now implemented in bmcweb in
all places where IndicatorLED was implemented. So a new meson option
(redfish-allow-deprecated-indicatorled) is being added to control
whether this property is part of get or patch requests. The option is
disabled by default with plans to remove the option by March 2026.

Tested:
- Built with option enabled and confirmed IndicatorLED still part of
Redfish responses and can be patched.
- Built with option disabled and confirmed Redfish Service Validator no
longer reports the warning.
- Built with option disabled and confirmed IndicatorLED no longer part
of Redfish responses and patch fails appropriately.
```
curl -k -H "X-Auth-Token: $token" -H "Content-Type: application/json" -X PATCH -d '{"IndicatorLED":"Blinking"}' https://${bmc}/redfish/v1/Systems/system
{
"error": {
"@Message.ExtendedInfo": [
{
"@odata.type": "#Message.v1_1_1.Message",
"Message": "The property IndicatorLED is not in the list of valid properties for the resource.",
"MessageArgs": [
"IndicatorLED"
],
"MessageId": "Base.1.19.PropertyUnknown",
"MessageSeverity": "Warning",
"Resolution": "Remove the unknown property from the request body and resubmit the request if the operation failed."
}
],
"code": "Base.1.19.PropertyUnknown",
"message": "The property IndicatorLED is not in the list of valid properties for the resource."
}
}

curl -k -H "X-Auth-Token: $token" -H "Content-Type: application/json" -X PATCH -d '{"IndicatorLED":"Off"}' https://${bmc}/redfish/v1/Chassis/chassis
{
"error": {
"@Message.ExtendedInfo": [
{
"@odata.type": "#Message.v1_1_1.Message",
"Message": "The property IndicatorLED is not in the list of valid properties for the resource.",
"MessageArgs": [
"IndicatorLED"
],
"MessageId": "Base.1.19.PropertyUnknown",
"MessageSeverity": "Warning",
"Resolution": "Remove the unknown property from the request body and resubmit the request if the operation failed."
}
],
"code": "Base.1.19.PropertyUnknown",
"message": "The property IndicatorLED is not in the list of valid properties for the resource."
}
}
```

Change-Id: I2c0d415a7a54aa3122b18d2a1aa69bd9259d567e
Signed-off-by: Janet Adkins <janeta@us.ibm.com>

show more ...

Implement zstd decompression

Given the size of Redfish schemas these days, it would be nice to be
able to store them on disk in a zstd format. Unfortunately, not all
clients support zstd at this ti

Implement zstd decompression

Given the size of Redfish schemas these days, it would be nice to be
able to store them on disk in a zstd format. Unfortunately, not all
clients support zstd at this time.

This commit implements reading of zstd files from disk, as well as
decompressing zstd in the case where the client does not support zstd as
a return type.

Tested:
Implanted an artificial zstd file into the system, and observed correct
decompression both with an allow-encoding header of empty string and
zstd.

Change-Id: I8b631bb943de99002fdd6745340aec010ee591ff
Signed-off-by: Ed Tanous <etanous@nvidia.com>

show more ...

Move http2 out of experimental

Http2 support in bmcweb has been relatively stable for a while. The
http2 implementation passes all known Redfish tests (some of which
require ported to httpx to supp

Move http2 out of experimental

Http2 support in bmcweb has been relatively stable for a while. The
http2 implementation passes all known Redfish tests (some of which
require ported to httpx to support http2), the UI loads, and so far as
the project is concerned, is a complete improvement over the existing
http1 stack.

This commit removes the experimental classification from http2, and
declares it ready for production use, while enabling it by default.
note, that enabling this by default only makes the server advertise that
http2 is available. Http2 must still be supported by the client to
enable ALPN negotiation, so existing http1 clients that only support
http1 will continue to function as they did before.

Tested: Enabled http option and saw http2 advertised, http2 now takes
effect.

Change-Id: I92843a3afc532f0b2a64904bb872e5d84a1a54fe
Signed-off-by: Ed Tanous <etanous@nvidia.com>

show more ...

remove meta-tls-common-name-parsing flag

as we remove all `meta-tls-common-name-parsing` usages from all
references in openbmc and bmcweb repos, we can safely remove
`meta-tls-common-name-parsing` f

remove meta-tls-common-name-parsing flag

as we remove all `meta-tls-common-name-parsing` usages from all
references in openbmc and bmcweb repos, we can safely remove
`meta-tls-common-name-parsing` flag.

This flag was intended to be a flag to enable meta/facebook specific
auth parse mode. As meta/facebook have migrated our implementation into
using UPN field, we can safely remove all codes related to meta/facebook
specific auth parse mode, including this flag

Tested
- build bmcweb binary
- deploy to a device that already use UPN parse mode
- check if it works fine by sending curl, eg: to /AccountService

Change-Id: Iabffcee177b3c48da90eba97e2a84a8d5a9f57d2
Signed-off-by: Malik Akbar Hashemi Rafsanjani <malikrafsan@meta.com>

show more ...

Fix watchdog timeout variable

The meson option to define the watchdog timeout was written in different
places with different names, resulting in the service file not having
the configured timeout, a

Fix watchdog timeout variable

The meson option to define the watchdog timeout was written in different
places with different names, resulting in the service file not having
the configured timeout, and the bmcweb daemon not displaying the warning
when the watchdog was disabled at runtime, but enabled at compile time.

Tested:
- After building, the systemd service file contains the configured
timeout
- If the watchdog is disabled during runtime, the message is displayed
properly

Change-Id: I21d23b02bc13e21a516f04527dbda5b4ec0659f1
Signed-off-by: Roger G. Coscojuela <roger.gili-coscojuela@sipearl.com>

show more ...

Clean up meson summary

Make the meson summary better by:
Adding new sections for each value type (this implicitly sorts each
section, making the pattern more clear)
Remove the generated messon messa

Clean up meson summary

Make the meson summary better by:
Adding new sections for each value type (this implicitly sorts each
section, making the pattern more clear)
Remove the generated messon message, where we print the values of
ifdefs.
Enable bool_yn for feature options, which allows us to pass the feature
in directly, and print and colorize yes/no answers

Tested: meson setup builddir

Results in no messages printed for the ifdefs, and colorized output,
with yes/no answers, summarized below.

Feature Options
basic-auth : YES

String Options
dns-resolver : systemd-dbus

Numeric Options
http-body-limit : 30

Change-Id: I13f003846edaa355090c14113b61aacb05cbeb9a
Signed-off-by: Ed Tanous <etanous@nvidia.com>

show more ...

Add support for systemd service watchdog

Systemd has support for enabling service level watchdog. The MR enables
this support for bmcweb daemon. Request for watchdog monitor from
systemd is added in

Add support for systemd service watchdog

Systemd has support for enabling service level watchdog. The MR enables
this support for bmcweb daemon. Request for watchdog monitor from
systemd is added in bmcweb.service.in. From the event loop a timer is
registered to kick the watchdog periodically

The default watchdog timeout is set at 120 seconds and the timer is set
to kick it at a quarter of the interval (every 30 seconds).
This timeout is set somewhat arbitrarily based on the longest blocking
call that could occur and still give a valid HTTP response. Suspect
lower values could work equally as well.

Benefits of Service Watchdog
- Bmcweb route handlers should not make any blocking IO calls which
block the event loop for considerable amount of time and slowdown the
response of other URI requests in the queue. Watchdog can help to detect
such issues.
- Watchdog can help restart the service if any route handler code has
uncaught bugs resulting from system API errors (this is in theory,
currently we don't have any use case).

Tested
1. UT is passing
2. Service validator is passing
3. Fw upgrade POST requests are working

Change-Id: If62397d8836c942fdcbc0618810fe82a8b248df8
Signed-off-by: rohitpai <ropai@nvidia.com>
Signed-off-by: Ed Tanous <etanous@nvidia.com>

show more ...

Sort the config list

Keep the list sorted.

Change-Id: I208ee3b388dc48b52c15d7ff6534e1f0af300bbf
Signed-off-by: Ed Tanous <etanous@nvidia.com>

Enable port 18080

The commit [1] altered how sockets are created and inadvertently removed
the default port 18080. We use this port extensively in development.
The bmcweb documentation describes the

Enable port 18080

The commit [1] altered how sockets are created and inadvertently removed
the default port 18080. We use this port extensively in development.
The bmcweb documentation describes the port 18080 for this use. [2]
Adding back the default port 18080.

The commit [1] added meson build options for adding additional ports.
In attempting to enable port 18080 using that mechanism I ran into
various build errors when additional-ports has a value. I've corrected
the config/meson.build file to address those errors. These changes are
not necessary to re-enable port 18080 but worth fixing anyway.

Note: Meson defines arrays as containing strings so there is no
to_string() method for the array member. [3]
```
../../../../../../workspace/sources/bmcweb/config/meson.build:137:39: ERROR: Unknown method "to_string" in object <[StringHolder] holds [str]: '18080'> of type StringHolder.
```

Tested:
- Started bmcweb from /tmp and was able to connect through port 18080.
Log shows:
```
[DEBUG app.hpp:111] Got 0 sockets to open
[INFO app.hpp:150] Starting webserver on port 18080
```

[1] https://gerrit.openbmc.org/c/openbmc/bmcweb/+/35265
[2] https://github.com/openbmc/bmcweb/blob/cc67d0a0fed101c930b334a583d9ca9b222ceb77/TESTING.md?plain=1#L57
[3] https://mesonbuild.com/Build-options.html#arrays

Change-Id: Ia1b326bedca808e43e73ce2b241178bc4bfab23c
Signed-off-by: Janet Adkins <janeta@us.ibm.com>
Signed-off-by: Ed Tanous <etanous@nvidia.com>

show more ...

Use systemd logging levels

Systemd has an option[1] that allows it to interpret our log levels
directly. This allows for journald to sort/filter/colorize our logs
better than it was able to previou

Use systemd logging levels

Systemd has an option[1] that allows it to interpret our log levels
directly. This allows for journald to sort/filter/colorize our logs
better than it was able to previously. Its indexes don't map perfectly
to bmcwebs, so come up with a constexpr lookup table to map the two
values across.

Tested: Enabled logging, and dumped journal logs. Observed colorized
output.

[1] https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#SyslogLevelPrefix=

Change-Id: I7722ae86e114daec88709b68405498eeb8164c07
Signed-off-by: Ed Tanous <etanous@nvidia.com>

show more ...

Enable HTTP additional sockets

This commit attempts to add the concept of an SSL detector from beast,
and add the capability into bmcweb. This allows directing multiple
socket files to the bmcweb i

Enable HTTP additional sockets

This commit attempts to add the concept of an SSL detector from beast,
and add the capability into bmcweb. This allows directing multiple
socket files to the bmcweb instance, and bmcweb will automatically sort
out whether or not they're SSL, and give the correct response. This
allows users to plug in erroneous urls like "https://mybmc:80" and they
will forward and work correctly.

Some key design points:
The HTTP side of bmcweb implements the exact same http headers as the
HTTPS side, with the exception of HSTS, which is explicitly disallowed.
This is for consistency and security.

The above allows bmcweb builds to "select" the appropriate security
posture (http, https, or both) for a given channel using the
FileDescriptorName field within a socket file. Items ending in:
both: Will support both HTTPS and HTTP redirect to HTTPS
https: Will support HTTPS only
http: will support HTTP only

Given the flexibility in bind statements, this allows administrators to
support essentially any security posture they like. The openbmc
defaults are:
HTTPS + Redirect on both ports 443 and port 80 if http-redirect is
enabled

And HTTPS only if http-redirect is disabled.

This commit adds the following meson options that each take an array of
strings, indexex on the port.
additional-ports
Adds additional ports that bmcweb should listen to. This is always
required when adding new ports.

additional-protocol
Specifies 'http', 'https', or 'both' for whether or not tls is enfoced
on this socket. 'both' allows bmcweb to detect whether a user has
specified tls or not on a given connection and give the correct
response.

additional-bind-to-device
Accepts values that fill the SO_BINDTODEVICE flag in systemd/linux,
and allows binding to a specific device

additional-auth
Accepts values of 'auth' or 'noauth' that determines whether this
socket should apply the normal authentication routines, or treat the
socket as unauthenticated.

Tested:
Previous commits ran the below tests.
Ran the server with options enabled. Tried:
```
curl -vvvv --insecure --user root:0penBmc http://192.168.7.2/redfish/v1/Managers/bmc
* Trying 192.168.7.2:80...
* Connected to 192.168.7.2 (192.168.7.2) port 80 (#0)
* Server auth using Basic with user 'root'
> GET /redfish/v1/Managers/bmc HTTP/1.1
> Host: 192.168.7.2
> Authorization: Basic cm9vdDowcGVuQm1j
> User-Agent: curl/7.72.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Location: https://192.168.7.2
< X-Frame-Options: DENY
< Pragma: no-cache
< Cache-Control: no-Store,no-Cache
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Content-Security-Policy: default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:
< Date: Fri, 08 Jan 2021 01:43:49 GMT
< Connection: close
< Content-Length: 0
<
* Closing connection 0
```

Observe above:
webserver returned 301 redirect.
webserver returned the appropriate security headers
webserver immediately closed the connection.

The same test above over https:// returns the values as expected

Loaded the webui to test static file hosting. Webui logs in and works
as expected.

Used the scripts/websocket_test.py to verify that websockets work.
Sensors report as expected.

Change-Id: Ib5733bbe5473fed6e0e27c56cdead0bffedf2993
Signed-off-by: Ed Tanous <ed@tanous.net>

show more ...

Put simple update behind an option

4e338b2313f9f2a91aa1fb36693e36a328d58933 Removed tftp update support
from the codebase, but left SimpleUpdate in a non functional state.

Given that a number of fo

Put simple update behind an option

4e338b2313f9f2a91aa1fb36693e36a328d58933 Removed tftp update support
from the codebase, but left SimpleUpdate in a non functional state.

Given that a number of forks have implemented the HTTPS/SCP versions of
simple update, we don't want to fully delete the code at this time, so
for the moment put it behind an option flag.

Tested: WIP

Change-Id: Ibab1e3a48ff640787eabf8ed5f7a5c08e3381307
Signed-off-by: Ed Tanous <etanous@nvidia.com>

show more ...

Make message registries use 2 digit versions

Redfish specification, section 9.5.11.2 says:

The MessageId property value shall be in the format:
<MessageRegistryPrefix>.<MajorVersion>.<MinorVersion>

Make message registries use 2 digit versions

Redfish specification, section 9.5.11.2 says:

The MessageId property value shall be in the format:
<MessageRegistryPrefix>.<MajorVersion>.<MinorVersion>.<MessageKey>

bmcweb in certain places has incorrectly used the 3 digit version
instead of the 2 digit version. This commit fixes that by modifying the
parse_registries script to generate 3 separate struct entries to
represent the registry version, and parse them where appropriate.

MessageRegistryFileCollection uses the 3 digit version. No behavior
changes.
Message/event log entries use the 2 digit version. This will cause a
MessageId change from:
Base.1.19.0.InternalError
to
Base.1.19.InternalError

This is a breaking change, so a new option to allow the old behavior is
provided.

Tested: Redfish Service validator passes.
Heartbeat events on EventService show 2 digit versions.

Change-Id: I4165e994f73e200f13bed8ea76cb58bee2b69faa
Signed-off-by: Ed Tanous <etanous@nvidia.com>

show more ...

event service: dbus log: enable event subscription

enable the event subscriptions

/redfish/v1/EventService/Subscriptions/

to work for the dbus event log.

So if you are enabling redfish-dbus-log o

event service: dbus log: enable event subscription

enable the event subscriptions

/redfish/v1/EventService/Subscriptions/

to work for the dbus event log.

So if you are enabling redfish-dbus-log option,
event subscriptions should work similar to when
this option is disabled, with one difference:

- 'MessageArgs' property is currently not implemented and cannot be
found in the returned json.

Tested:
- Using Redfish Event Listener, test subscriptions and eventing.
- Manual Test below with the Redfish Event Listener:

1. Created a maximal Event Log Subscription

redfish
{
"@odata.id": "/redfish/v1/EventService/Subscriptions/2023893979",
"@odata.type": "#EventDestination.v1_8_0.EventDestination",
"Context": "EventLogSubscription",
"DeliveryRetryPolicy": "TerminateAfterRetries",
"Destination": "http://${ip}:5000/event-receiver",
"EventFormatType": "Event",
"HttpHeaders": [],
"Id": "2023893979",
"MessageIds": [],
"MetricReportDefinitions": [],
"Name": "Event Destination 2023893979",
"Protocol": "Redfish",
"RegistryPrefixes": [],
"ResourceTypes": [],
"SubscriptionType": "RedfishEvent",
"VerifyCertificate": true
}

which matches on all registries and all message ids.

2. created a new phosphor-logging entry

busctl call xyz.openbmc_project.Logging \
/xyz/openbmc_project/logging \
xyz.openbmc_project.Logging.Create \
Create 'ssa{ss}' \
OpenBMC.0.1.PowerButtonPressed \
xyz.openbmc_project.Logging.Entry.Level.Error 0

3. bmcweb picks up this new entry via the dbus match, this can be
verified by putting bmcweb in debug logging mode.

4. the event log entry makes it through the filtering code

5. the POST request is sent to the subscribed server as expected,
and contains the same properties as with the file-based backend.

Change-Id: I122e1121389f72e67a998706aeadd052ae607d60
Signed-off-by: Alexander Hansen <alexander.hansen@9elements.com>

show more ...

Reformat meson files with meson format

Meson recently got a new format command in 1.5.0 [1]. It makes slightly
different formatting decisions compared to muon (what we used
previously) but given it

Reformat meson files with meson format

Meson recently got a new format command in 1.5.0 [1]. It makes slightly
different formatting decisions compared to muon (what we used
previously) but given it's the official tool, we should switch to it.

There is one bug resolved recently that requires this format be done
using the meson from master.

Ideally this would be enforced by CI in the future, but that's WIP.

Tested: Whitespace only, code compiles.

[1] https://mesonbuild.com/Commands.html#format
[2] https://github.com/mesonbuild/meson/commit/df706807239095ddbbfd2975b3fe067ad6b5d535

Change-Id: I91506efb659c431e913c717d8a26aa349fccbd75
Signed-off-by: Ed Tanous <etanous@nvidia.com>

show more ...