Manage Firmware Baselines¶
This guide walks you through creating firmware baselines, checking compliance across your fleet, and remediating non-compliant servers — all through the MOJO REST API.
Prerequisites
- A running MOJO instance with servers already discovered and registered
- Firmware binaries uploaded to the MOJO catalog (see Add a Firmware Bundle)
- An API token (see MOJO REST API — Authentication)
How Firmware Baselines Work¶
A firmware baseline is a named collection of firmware versions that defines the desired state for a group of servers. Instead of updating firmware one component at a time, you define the target versions once and apply them across your fleet.
The workflow follows four steps:
- Catalog — Firmware binaries already loaded into MOJO (BIOS, BMC, RAID controller, NIC, etc.)
- Baseline — A named collection grouping specific firmware versions for a server model
- Compliance — Compare each server's installed firmware against the baseline
- Remediation — Automatically update all non-compliant components in one request
Step 1: Authenticate¶
All API requests require a token. Obtain one and export it for the following steps:
export MOJOHOST="https://<your-mojo-ip>"
export TOKEN=$(curl -s -k -X POST \
-H "Content-Type: application/json" \
-d '{"username": "your_user", "password": "your_pass"}' \
${MOJOHOST}/api/token/ | jq -r '.access')
Token Lifetime
Tokens are valid for 24 hours by default. Use the refresh endpoint at /api/token/refresh/ to obtain a new access token without re-authenticating.
Step 2: Identify Your Firmware Binaries¶
Before creating a baseline, find the firmware binary IDs you want to include. List the available firmware update binaries:
curl -s -k \
-H "Authorization: Bearer ${TOKEN}" \
${MOJOHOST}/api/firmware/ | jq '.[] | {id, firmware_type, version, manufacturer, models}'
Note the id values for the binaries you want to group into a baseline. For example, a Dell R750 baseline might include:
- BIOS (id: 504) — version 1.12.2
- BMC/iDRAC (id: 505) — version 6.10.80.00
- PERC H755 (id: 506) — version 25.5.9.0001
Step 3: Create a Firmware Baseline¶
Create a baseline by providing a name, description, and the list of firmware binary IDs:
curl -s -k -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${TOKEN}" \
-d '{
"name": "Dell R750 Production Q1 2026",
"description": "BIOS 1.12.2, iDRAC 6.10.80.00, PERC H755 25.5.9.0001",
"firmware_binaries": [504, 505, 506]
}' \
${MOJOHOST}/api/firmware_baseline/
Response: 201 Created
{
"id": 1,
"firmware_binaries": [504, 505, 506],
"created_by": 1,
"name": "Dell R750 Production Q1 2026",
"description": "BIOS 1.12.2, iDRAC 6.10.80.00, PERC H755 25.5.9.0001",
"created_at": "2026-01-11T15:00:00.000000Z",
"updated_at": "2026-01-11T15:00:00.000000Z"
}
Unique Names
Baseline names must be unique. Attempting to create a baseline with a duplicate name returns 400 Bad Request.
Step 4: Check Compliance¶
With your baseline created, check which servers are out of compliance. You can check all compatible servers, a specific server, or an entire resource pool:
Example response:
{
"baseline_id": 1,
"baseline_name": "Dell R750 Production Q1 2026",
"servers": [
{
"server_id": 42,
"server_name": "r750-node01",
"overall_status": "non_compliant",
"components": [
{
"firmware_type": "bios",
"baseline_version": "1.12.2",
"current_version": "1.10.0",
"status": "non_compliant"
},
{
"firmware_type": "bmc",
"baseline_version": "6.10.80.00",
"current_version": "6.10.80.00",
"status": "compliant"
}
]
}
],
"summary": {
"total_servers": 1,
"compliant": 0,
"non_compliant": 1
}
}
Filter non-compliant servers with jq
Understanding Compliance Statuses¶
| Status | Meaning |
|---|---|
compliant |
Installed firmware version matches the baseline version |
non_compliant |
Installed firmware version differs from the baseline version |
unknown |
No matching firmware found for this component type on the server |
not_applicable |
The firmware binary is not compatible with this server model |
Step 5: Remediate Non-Compliant Servers¶
Once you've reviewed the compliance report, submit a remediation request to bring servers up to baseline:
Response: 201 Created — Returns the created request object, which you can track through the standard request API.
One API call to update an entire pool
The firmware baseline system replaces what would otherwise require dozens of individual API calls (one per firmware component per server) with a single remediation request. For a pool of 10 servers each needing 3 firmware updates, that's 1 API call instead of 30.
What Happens During Remediation¶
For each targeted server, the MOJO workflow engine:
- Runs a compliance check against the baseline to identify non-compliant components
- Logs current firmware versions (for audit trail)
- For each non-compliant component:
- Verifies the firmware binary is downloadable and checksum-valid
- Runs manufacturer-specific pre-steps (e.g., enter maintenance mode)
- Flashes the firmware via Redfish and waits for completion
- Runs manufacturer-specific post-steps (e.g., reboot if required)
- Logs new firmware versions (for audit trail)
Updating a Single Firmware Component¶
If you need to push a single firmware binary to specific servers without creating a full baseline, use the individual firmware update endpoint:
curl -s -k -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${TOKEN}" \
-d '{
"data": {
"servers": [42, 43],
"firmware": 504,
"force_reinstall": true
}
}' \
${MOJOHOST}/api/requests/firmware_update/
Note
This endpoint updates one firmware component at a time. For multi-component updates across many servers, use the baseline workflow above.
Managing Baselines¶
List All Baselines¶
curl -s -k \
-H "Authorization: Bearer ${TOKEN}" \
${MOJOHOST}/api/firmware_baseline/ | jq '.[] | {id, name, description}'
Update a Baseline¶
Use PATCH to update specific fields:
Firmware binaries are replaced, not appended
Setting firmware_binaries replaces the entire set. To add a new binary, include all existing IDs plus the new one.
Delete a Baseline¶
Response: 204 No Content — This does not delete the underlying firmware binaries, only the baseline grouping.
Next Steps¶
- Full API reference — See the MOJO REST API for detailed endpoint schemas, data models, and compliance detection internals
- Add firmware binaries — See Add a Firmware Bundle to prepare firmware for baselines
- Organize servers — See Resource Pools to group servers for pool-level compliance checks and remediation