[CentOS] C7, encryption, and clevis

Fri Jun 8 15:42:58 UTC 2018
Noam Bernstein <noam.bernstein at nrl.navy.mil>

> On Jun 8, 2018, at 11:27 AM, m.roth at 5-cent.us wrote:
> John Hodrien wrote:
>> On Fri, 8 Jun 2018, m.roth at 5-cent.us wrote:
>>> We've been required to encrypt h/ds, and so have been rolling that out
>>> over the last year or so. Thing is, you need to put in a password, of
>>> course, to boot the system. My manager found a way to allow us to reboot
>>> without being at the system's keyboard, a package called clevis. Works
>>> fine... except in a couple of very special cases.
>>> Those systems, the problem is that, due to older software, and *very*
>>> expensive licenses that are tied to a MAC address, I have to spoof the
>>> MAC address since my users got new(er) machines.
>>> Clevis is trying to contact its password server, using the *real* MAC
>>> address, but our DHCP has to serve the *spoofed* MAC address. I know,
>>> from trying, that I can't have two entries for the same system. Can anyone
>>> suggest a solution?
>> Nothing wrong with having two MAC addresses listed for one IP.  With ISC
>> DHCP the label for a host has to be unique, but the hostname doesn't.
> The IP's not the problem, it's dhcpd gagging on two entries, two MAC
> addresses, for the same server name - think dhcpd.conf.local

From the dhcpd.conf man page:

If it is desirable to be able to boot a DHCP or BOOTP client on more than one subnet with fixed v4 addresses, more than one address may be specified in the fixed-address declaration, or more than one host statement may be specified matching the same client.
The fixed-address6 delcaration is used for v6 addresses. At this time it only works with a single address. For multiple addresses specify multiple host statements.
If client-specific boot parameters must change based on the network to which the client is attached, then multiple host declarations should be used. The host declarations will only match a client if one of their fixed-address statements is viable on the subnet (or shared network) where the client is attached. Conversely, for a host declaration to match a client being allocated a dynamic address, it must not have any fixed-address statements. You may therefore need a mixture of host declarations for any given client...some having fixed-address statements, others without.
hostname should be a name identifying the host. If a hostname option is not specified for the host, hostname is used.

You need multiple host entries, with different labels on the “host” line, different MAC address, same IP, same hostname.