Re: CentOS 7, systemd, NetworkMangler, oh, my

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 02/14/2017 08:40 PM, Alice Wonder wrote:
On 02/14/2017 06:49 AM, Johnny Hughes wrote:


But as Linux installs become more and more complicated and it is not
some individual machines in a rack but clouds, clusters, and containers
with software defined networking and individual segments for specific
applications spread out within the network, only talking to one another
.. etc.  Well, NM will be much more important.

All due respect, when we drop KISS it is rarely a good thing.

Issue I am dealing with right now - all my VMs with linode are CentOS 7.

Three of them are nameservers, I have to run my own because some of my
sites - I use certificate authorities but do not trust them, DNSSEC with
DANE is a must, and with DNSSEC the only way to make sure I'm the only
one with access to the private signing key is to manage the zone files
myself.

One of the VMs (in London data center) was recently migrated to a
different machine, I think because of a bad fan in the server.

NSD never properly came up. After investigation, it is because the IPv6
address changed.

Trying to figure out why the IPv6 address changed has been a nightmare.

Linode support suspects the reason is because the VM is using slaac
private to request the IP address instead of slaac hwaddr - and
suggested that I change the /etc/dhcpcd.conf file.

Well CentOS 7 doesn't use that, and trying to figure out where in the
mess of /etc/sysconfig/network-scripts the problem is occurring has
caused me much frustration.

Why the bleep can't stuff like this be simple KISS with simple key=value
configuration files?

So for now, that particular nameserver is only IPv4 until I figure it
out, and modifying the network scripts to try and figure out how to fix
it raises my blood pressure because if a modification causes the IPv4
not to work, recovering becomes a real PITA.
_______________________________________________

As far as me not trusting certificate authorities - I read a Netcraft report a year ago or so that estimated about 100 fraudulent TLS certificates that browsers accept as valid are issued every month.

PKI is seriously broken, it depends upon trusting certificate authorities that have repeatedly demonstrated they put profit over proper validation before issuing certificates.

DNSSEC + DANE is the only viable solution, and DANE really only is secure when you know no one else has access to the private KSK ans ZSK and that pretty much means running your own authoritative nameservers, where a stable IP address is a must and VMs like what linode offers are the most cost effective way of making sure you have enough in geographically diverse locations.

It's a shame that Network Manager makes things so difficult, dhcp is how VM hosting service assign the IP addresses and they really shouldn't change.

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux