Currently all firmware updates are applied via 1 of 3 means, all labor intensive in one form or another:
- Dell: via the https interface of the idrac, logging in via web interface and clicking through 2 different menus to get to firmware upload screen, then 3 more click through and upload options then monitoring.
- Dell: via onsite running their own tftp server via their laptop plugged directly into the mgmt network, they can then use a single command to apply firmware via tftp
- HP: BIOS and ILOM via https, everything else (and including bios and ilom) via hp spp iso and crash cart.
A) single ftp server solution - punch the required holes in our network ACLs to allow our mgmt network to access our own tftp servers we already run for pxe loads.
Pros: scales within our current infrastructure (no unicorns)
Cons: mgmt network is accessible from our install servers, currently this is restricted to our bastion and cumin hosts for ssh, and cumin hosts for other protocols.
B) dual ftp server soltuion - create a ganeti instance (on our existing ganeti cluster) and tftp role to run just our firmware updates for dcops
Pros: this ganeti instance could use internal ip and thus be further isolated from the outer world, keeping non ssh access to mgmt restricted to internal ip hosts only (cumin and then this proposed host)
Cons: have to build and maintain another tftp server role within our infrastructure
This solution would also likely be leveraged by automation in future projects to automate firmware updates for hosts (currently an unassigned long term project). Since it would then include their automation, we likely want their input on this as well. Papaul has regular sync ups with that team & must regularly update firmware on hosts, so he has been added to this task as a subscriber. Chris has been added as someone who has to regularly update firmware on hosts, and Willy has been included to keep him apprised of potential changes to our workflows. (In this case, it would likely simplify workflows, reducing all Dell firmware updates to a single idrac command line versus multiple GUI steps or the command line solution with local laptop use.)
Edit note: This task originally suggested TFTP, but testing with firmware shows that TFTP can only be used to update the idrac firmware. The firmware of the devices (bios, nics, raid, etc) must be updated via FTP not tftp.