Re: C7, encryption, and clevis

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]





On 06/08/18 10:27, m.roth@xxxxxxxxx wrote:
John Hodrien wrote:
On Fri, 8 Jun 2018, m.roth@xxxxxxxxx wrote:

We've been required to encrypt h/ds, and so have been rolling that out
over the last year or so. Thing is, you need to put in a password, of
course, to boot the system. My manager found a way to allow us to reboot
without being at the system's keyboard, a package called clevis. Works
fine... except in a couple of very special cases.

Those systems, the problem is that, due to older software, and *very*
expensive licenses that are tied to a MAC address, I have to spoof the
MAC address since my users got new(er) machines.

Clevis is trying to contact its password server, using the *real* MAC
address, but our DHCP has to serve the *spoofed* MAC address. I know,
from trying, that I can't have two entries for the same system. Can anyone
suggest a solution?

Nothing wrong with having two MAC addresses listed for one IP.  With ISC
DHCP the label for a host has to be unique, but the hostname doesn't.

The IP's not the problem, it's dhcpd gagging on two entries, two MAC
addresses, for the same server name - think dhcpd.conf.local

When I have a machine that can comes with different MAC addresses, and I have to give it the same IP, here is what I have in DHCP server configuration (Mac addresses and IP address are obfuscated below):

# tricky machine
host tricky {
  hardware ethernet xx:xx:xx:xx:xx:xx;
  fixed-address A.B.C.D;
}

# tricky machine again
host tricky1 {
  hardware ethernet yy:yy:yy:yy:yy:yy;
  fixed-address A.B.C.D;
}

# and a bunch of other configs for the same machine

The only trouble here will be if both MAC addresses request IP and and are both present, in that case DHCP server will offer that same static IP to the second request from different MAC address as well, but DHCP client (if smart) will check the presence of the IP address on the network already, and will not use that IP if it is already used and will send new request, and this will go on till first hardware stops using that IP address.

Those are "tricky", "tricky1", ... labels that John mentioned should be unique, and they are only known to DHCP server.

<rant>
There are a bunch of Out Of Band management creeps that sit on the first network interface and come up when AC is connected no matter whether the system is up or not. And they come with different MAC address. And these are the ones that you can not assign the same IP as that the machine itself is supposed to have. Sorry about little rant, these creepy things are sysadmin's disaster, - UNIX sysadmin's disaster I meant. Or Windows sysadmin's best friend, I figure. Like in the phrase I'm stealing from one Windows sysadmin whom I respect a lot: "Did you try to power cycle the machine and see if it solves that?"
</rant>

I hope, this helps.

Valeri


      mark

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos


--
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux