[CentOS] C7, encryption, and clevis

Fri Jun 8 17:01:17 UTC 2018
m.roth at 5-cent.us <m.roth at 5-cent.us>

Valeri Galtsev wrote:
> On 06/08/18 10:27, m.roth at 5-cent.us wrote:
>> John Hodrien wrote:
>>> On Fri, 8 Jun 2018, m.roth at 5-cent.us wrote:
>>>> We've been required to encrypt h/ds, and so have been rolling that out
>>>> over the last year or so. Thing is, you need to put in a password, of
>>>> course, to boot the system. My manager found a way to allow us to
>>>> reboot without being at the system's keyboard, a package called
>>>> clevis. Works fine... except in a couple of very special cases.
>>>> Those systems, the problem is that, due to older software, and *very*
>>>> expensive licenses that are tied to a MAC address, I have to spoof the
>>>> MAC address since my users got new(er) machines.
>>>> Clevis is trying to contact its password server, using the *real* MAC
>>>> address, but our DHCP has to serve the *spoofed* MAC address. I know,
>>>> from trying, that I can't have two entries for the same system. Can
>>>> anyone suggest a solution?
>>> Nothing wrong with having two MAC addresses listed for one IP.  With
>>> ISC DHCP the label for a host has to be unique, but the hostname doesn't.
>> The IP's not the problem, it's dhcpd gagging on two entries, two MAC
>> addresses, for the same server name - think dhcpd.conf.local
> When I have a machine that can comes with different MAC addresses, and I
> have to give it the same IP, here is what I have in DHCP server
> configuration (Mac addresses and IP address are obfuscated below):
> # tricky machine
> host tricky {
>    hardware ethernet xx:xx:xx:xx:xx:xx;
>    fixed-address A.B.C.D;
> }
> # tricky machine again
> host tricky1 {
>    hardware ethernet yy:yy:yy:yy:yy:yy;
>    fixed-address A.B.C.D;
> }
Hmmm... wonder if it will gag - we don't put the IP in that, that comes
from DNS. The format we use is
   host <host <shortname> P hardware ethernet <MAC address>; fixed-address

so if it would work, replace shortname with short and short1?