[CentOS] C7, encryption, and clevis

Noam Bernstein noam.bernstein at nrl.navy.mil
Fri Jun 8 15:42:58 UTC 2018 

> On Jun 8, 2018, at 11:27 AM, m.roth at 5-cent.us wrote:
> 
> John Hodrien wrote:
>> On Fri, 8 Jun 2018, m.roth at 5-cent.us wrote:
>> 
>>> We've been required to encrypt h/ds, and so have been rolling that out
>>> over the last year or so. Thing is, you need to put in a password, of
>>> course, to boot the system. My manager found a way to allow us to reboot
>>> without being at the system's keyboard, a package called clevis. Works
>>> fine... except in a couple of very special cases.
>>> 
>>> Those systems, the problem is that, due to older software, and *very*
>>> expensive licenses that are tied to a MAC address, I have to spoof the
>>> MAC address since my users got new(er) machines.
>>> 
>>> Clevis is trying to contact its password server, using the *real* MAC
>>> address, but our DHCP has to serve the *spoofed* MAC address. I know,
>>> from trying, that I can't have two entries for the same system. Can anyone
>>> suggest a solution?
>> 
>> Nothing wrong with having two MAC addresses listed for one IP.  With ISC
>> DHCP the label for a host has to be unique, but the hostname doesn't.
> 
> The IP's not the problem, it's dhcpd gagging on two entries, two MAC
> addresses, for the same server name - think dhcpd.conf.local

From the dhcpd.conf man page:

If it is desirable to be able to boot a DHCP or BOOTP client on more than one subnet with fixed v4 addresses, more than one address may be specified in the fixed-address declaration, or more than one host statement may be specified matching the same client.
The fixed-address6 delcaration is used for v6 addresses. At this time it only works with a single address. For multiple addresses specify multiple host statements.
If client-specific boot parameters must change based on the network to which the client is attached, then multiple host declarations should be used. The host declarations will only match a client if one of their fixed-address statements is viable on the subnet (or shared network) where the client is attached. Conversely, for a host declaration to match a client being allocated a dynamic address, it must not have any fixed-address statements. You may therefore need a mixture of host declarations for any given client...some having fixed-address statements, others without.
hostname should be a name identifying the host. If a hostname option is not specified for the host, hostname is used.

You need multiple host entries, with different labels on the “host” line, different MAC address, same IP, same hostname.

More information about the CentOS mailing list