what is dset?
DSET is “Dell System E-Support Tool”, it is available for windows, 32bit linux and 64 bit linux. Essentially dell uses this tool to gather information about your server to help them troubleshoot. I’m only writing about the 64 bit linux version.
why do you care?
If you call dell tech support sooner or later (sooner I’m betting) they are going to ask for a dset. I wanted to dig into, what they are gathering and share with my fellow sysadmins.
I had a raid controller battery go bad after 2 years, still under warranty, but dell wanted a dset. Never mind I had a dmidecode for the firmware versions and some megacli64 output to show the battery reports, they wanted a dset.
Here’s how my conversation went:
dell: There is a firmware bug that falsely reports a bad battery when your battery is still good, we are going to need a dset.
me: does dset need root?
me: what does it need root for, as in, what exactly is it running?
dell: I don’t know.
me: okay I’ll download it, check it out, and call you back.
I’m in the medical industry, so installing new/unvetted software on production servers is usually a no-no, and it makes me nervous. So I wasn’t about to install it without some testing and analysis (on a blank virtual machine).
In fairness to dell, I could have said “I’m a gold customer with a 4 hour turnaround, ship me the new battery now please” and they would have. but I like to be co-operative with my fellow techies if I can.
I’m not one to trust binaries that need to be run as root very much, so let’s take a look at what we are getting ourselves into.
Here’s dell’s dset page
at time of writing the latest version is 188.8.131.52_x64_A01.bin
Due to running this on a virtual machine it didn’t want to install from running the script, so I extracted it manually via:
tail -n+20 dell-dset-184.108.40.206_x64_A01.bin | tar -xvz
The tarball doesn’t make it’s own directory it litters a bit in your current directory (shame shame).
The install.sh does a bunch of pre-checks to see if you have supported hardware before collecting it’s data. It’s fairly simple to disable the check and run it anyway or add your system to the ‘support_hw_list’ or just copy some exports from the install script and run (more on this later).
Once it decides it will install it will install one/some/all of the following depending on what options you choose:
rpm -Uhv rpms/srvadmin-hapi* >/dev/null 2>&1 rpm -Uhv rpms/srvadmin-storelib-sysfs*.rpm >/dev/null 2>&1 rpm -Uhv rpms/dell-dset-common* --nodeps >/dev/null 2>&1 rpm -Uhv rpms/dell-dset-collector* --nodeps >/dev/null 2>&1 rpm -Uhv rpms/dell-dset-provider* --nodeps >/dev/null 2>&1
rpm -ihv rpms/RHEL/sblim-sfcb*.rpm --nodeps >/dev/null 2>&1 rpm -Uhv rpms/RHEL/sblim-cmpi-base*.rpm --nodeps >/dev/null 2>&1
rpm -Uhv rpms/SLES/cim-schema*.rpm >/dev/null 2>&1 rpm -ihv rpms/SLES/sblim-sfcb*.rpm --nodeps >/dev/null 2>&1 rpm -Uhv rpms/SLES/sblim-indication_helper*.rpm >/dev/null 2>&1 rpm -Uhv rpms/SLES/sblim-cmpi-base*.rpm --nodeps >/dev/null 2>&1
Okay, I’m not a fan of the –nodeps, but if they are staying in their own sandbox I can forgive them. So let’s find out. On the first set of rpms:
$ rpm -qlp *.rpm |grep -v "^/opt" /etc/init.d/dsm_sa_ipmi /etc/init.d/instsvcdrv /etc/ld.so.conf.d/srvadmin-hapi-x86_64.conf /etc/sysconfig/dsm_sa_ipmi /usr/lib64/libdchapi.so.5 /usr/lib64/libdchapi64.so /usr/lib64/libdchbas.so.5 /usr/lib64/libdchbas64.so /usr/lib64/libdchcfl.so.5 /usr/lib64/libdchcfl64.so /usr/lib64/libdchesm.so.5 /usr/lib64/libdchesm64.so /usr/lib64/libdchipm.so.5 /usr/lib64/libdchipm64.so /usr/lib64/libdchtvm.so.5 /usr/lib64/libdchtvm64.so
Alright, not going to install this in the production environment already, but lets throw caution to the wind on this vm.
I’m running centos, so depending on what options I select, the dset installer may install sblim (sublime), with nodeps of course. This could be problematic if you are also using the epel sublime package.
At least they are no longer using rpm –force –nodeps like they were in previous versions of dset (which they still get you to use if you are using rhel 5.x)).
The install.sh parses out what you want to do and runs the ‘collector’ program with the various options (more on this later).
Going to play with the dell-dset*.rpm’s first.
For fun I looked at a rpm -ivh dell-dset*.rpm to see what dependencies I was about to ignore. What’s weird is they are packaging all of their dependencies, so I’m not sure why they don’t just update the spec to do a provides: bla and fix it. Maybe they are trying not to mess with the rpm database, but if that was the case, why are we using rpms at all? Running rpm –nodeps is almost the same as doing a tarball. How much stuff are they doing in their rpm’s %pre and %post that they can’t do in their install script? I digress.
Let’s get this installed.
rpm --nodeps -ivh dell-dset*.rpm
This will install to /opt/dell/advdiags/dset
cd /opt/dell/advdiags/dset/bin ./collector --help File "/usr/lib/python3.1/site-packages/cx_Freeze/initscripts/Console3.py", line 27, in <module>
Now we know it’s a python 3.1 script. :)
$ file collector collector: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.4, stripped
But not something we can easily look at without getting a python decompiler or strace involved.
Our paths won’t be correct but dell gave us a collector.sh which will setup the correct paths for you (and restore your old path when you are done) that’s nice.
there we go. a nice help file so we can figure out what we want to do. Being that I’m on a vm, the hardware option isn’t going to do much for me. So I’ll start with the software.
./collector.sh -d sw
It asks right away for my root password (I’m already running it as root). If I reached this stage in production I would abort, but I’m on a vm, so I’ll break out and change root to ‘1234’ and run it again. But not to worry, the dset documentation states:
NOTE: Root credentials are necessary for the DSET Provider to collect inventory or configuration information about the system. DSET does not store this password. The root password must be specified each time a report is collected.
We’ll find out if this is true or not shortly.
./collector.sh -d sw -p 1234
huzzah! I have a report.
./collector.sh -d sw -p 1234 -v yes
Now I have a report with privacy enabled to compare.
The report gets thrown into a passworded zip file. The password is completely meaningless as, if you unzip it with no password, it unzips a text file which tells you the password is ‘dell’. So I unzip’ed again this time with the super secret password. The password is the same in privacy mode or non privacy mode.
The non privacy report
The non privacy report gathers it’s data from many cfg files and logs. It also parses the data into xml/xsl pages which I assume dell has a nice tool to go through quickly to see what’s what.
From looking at the logs directory the collector is gathering the following:
cat boot/grub/menu.lst cat boot/grub/device.map ls /boot uptime cat /proc/meminfo lsmod cat /etc/modprobe.conf cat lib/modules/current/modules.dep ifconfig cat /etc/resolv.conf cat /etc/hosts cat /etc/sysconfig/network-scripts/ifcfg-* df cat /proc/scsi/scsi fdisk -l free hostname list of all installed rpms / versions / etc iptables dump ldconfig lspci mount osversion print's environment settings ps pstree route (old school route not ip route ls, shame shame) selinux policies runs thru the init.d and does a service status on each sestatus uname
See that ps up there?
grep "collector" ps root 20589 13.0 1.5 133620 15408 pts/1 S+ 23:17 0:00 ./collector -d sw -p 1234
So much for not saving my root password. It also shows up in:
Before anyone gets mad at dell: I’m running this in a non standard way, if I used the install.sh the script would not use the -p option, and would instead prompt me for a password (which would not show up in the processlist). Still not sure why it wants me to type the root password when I am already running it as root, but ok.
Next the collector has straight up copied my:
boot/grub/grub.conf boot/grub/menu.lst etc/aliases etc/cron* (crontab, crondirs, etc) etc/fstab etc/host* etc/ld.so.conf etc/modprobe.conf etc/redhat-release etc/resolv.conf etc/sysctl.conf etc/mail/sendmail.cf etc/pam.d/* (WAT?) etc/sysconfig/* (entire dir and subdirs) etc/X11/XF86Config lib/modules/current/modules.dep proc/ (many files copied here, 778) var/log/dmesg var/log/messages
This is WAY to much information to send to dell for any reason. How are you sending it to dell as well? I sure wouldn’t email it.
The privacy report
In the privacy report you get a lot less data. The logs directory is now blank, so everything is in the gui directory only. Which means we get to go through some annoying xml/xls (note: I find all xml/xsl annoying (don’t ask)). Allot of the same data is gathered, but now just dumped into xml.
We are gathering:
/boot/grub/grub.conf ls /boot ls /boot/grub cat boot/grub/device.map chassis info etc/X11/XF86Config lsmod cat /etc/modprobe.conf cat lib/modules/current/modules.dep list all rpms / publisher / size / install date, urlinfo, description hardware io ranges hardware irq info cat /proc/meminfo cat /etc/fstab ifconfig (with ip info and mac addresses "Omitted by user") cat resolv.conf (everything is omitted by user but domain is still listed. WAT?) runs thru the init.d and does a service status on each storage info (df info) os version and kernel connected usb devices
I like how the kernel version is omitted in the uname but is in the syssumlist. Heh.
The collector script has many different options, I don’t have any non-production dell gear right now, so I’m not willing to run the hardware report on a server that has hardware to run it on.
I ran the -lg and -ad options in the collector as well, but there was no difference to the sw logs. I imagine this would be different if I was running on an actual dell machine with actual dell hardware instead of the virtual machine that I’m running this on. :)
I won’t be running the dset tool on any production gear because:
- The package installation could cause issues with your system (not staying in /opt/dell, using –nodeps, conflicting sblim package with epel’s)
- It wants your root password to be entered at a prompt of a python program, even if you are currently root
- the non privacy report gathers way to much info about your system, under no circumstances should this be sent to anyone ever.
- the password on the report zip is incredible insecure
- add the domain in the resolv.conf to private information, or just don’t parse the resolv.conf at all
So what happened?
I told the dell tech that I couldn’t run the dset tool due to dset doing some bad behaviors; but I had a dmidecode, and some megacli logs to send.
After dell reviewed the logs I emailed they shipped me a new battery.
don’t run dset. If you absolutely must use dset, use the privacy option.