John Hodrien wrote:> On Fri, 8 Jun 2018, m.roth at 5-cent.us wrote: > >> We've been required to encrypt h/ds, and so have been rolling that out >> over the last year or so. Thing is, you need to put in a password, of >> course, to boot the system. My manager found a way to allow us to reboot >> without being at the system's keyboard, a package called clevis. Works >> fine... except in a couple of very special cases. >> >> Those systems, the problem is that, due to older software, and *very* >> expensive licenses that are tied to a MAC address, I have to spoof the >> MAC address since my users got new(er) machines. >> >> Clevis is trying to contact its password server, using the *real* MAC >> address, but our DHCP has to serve the *spoofed* MAC address. I know, >> from trying, that I can't have two entries for the same system. Can anyone >> suggest a solution? > > Nothing wrong with having two MAC addresses listed for one IP. With ISC > DHCP the label for a host has to be unique, but the hostname doesn't.The IP's not the problem, it's dhcpd gagging on two entries, two MAC addresses, for the same server name - think dhcpd.conf.local mark
> On Jun 8, 2018, at 11:27 AM, m.roth at 5-cent.us wrote: > > John Hodrien wrote: >> On Fri, 8 Jun 2018, m.roth at 5-cent.us wrote: >> >>> We've been required to encrypt h/ds, and so have been rolling that out >>> over the last year or so. Thing is, you need to put in a password, of >>> course, to boot the system. My manager found a way to allow us to reboot >>> without being at the system's keyboard, a package called clevis. Works >>> fine... except in a couple of very special cases. >>> >>> Those systems, the problem is that, due to older software, and *very* >>> expensive licenses that are tied to a MAC address, I have to spoof the >>> MAC address since my users got new(er) machines. >>> >>> Clevis is trying to contact its password server, using the *real* MAC >>> address, but our DHCP has to serve the *spoofed* MAC address. I know, >>> from trying, that I can't have two entries for the same system. Can anyone >>> suggest a solution? >> >> Nothing wrong with having two MAC addresses listed for one IP. With ISC >> DHCP the label for a host has to be unique, but the hostname doesn't. > > The IP's not the problem, it's dhcpd gagging on two entries, two MAC > addresses, for the same server name - think dhcpd.conf.localFrom the dhcpd.conf man page: If it is desirable to be able to boot a DHCP or BOOTP client on more than one subnet with fixed v4 addresses, more than one address may be specified in the fixed-address declaration, or more than one host statement may be specified matching the same client. The fixed-address6 delcaration is used for v6 addresses. At this time it only works with a single address. For multiple addresses specify multiple host statements. If client-specific boot parameters must change based on the network to which the client is attached, then multiple host declarations should be used. The host declarations will only match a client if one of their fixed-address statements is viable on the subnet (or shared network) where the client is attached. Conversely, for a host declaration to match a client being allocated a dynamic address, it must not have any fixed-address statements. You may therefore need a mixture of host declarations for any given client...some having fixed-address statements, others without. hostname should be a name identifying the host. If a hostname option is not specified for the host, hostname is used. You need multiple host entries, with different labels on the ?host? line, different MAC address, same IP, same hostname.
On 06/08/18 10:27, m.roth at 5-cent.us wrote:> John Hodrien wrote: >> On Fri, 8 Jun 2018, m.roth at 5-cent.us wrote: >> >>> We've been required to encrypt h/ds, and so have been rolling that out >>> over the last year or so. Thing is, you need to put in a password, of >>> course, to boot the system. My manager found a way to allow us to reboot >>> without being at the system's keyboard, a package called clevis. Works >>> fine... except in a couple of very special cases. >>> >>> Those systems, the problem is that, due to older software, and *very* >>> expensive licenses that are tied to a MAC address, I have to spoof the >>> MAC address since my users got new(er) machines. >>> >>> Clevis is trying to contact its password server, using the *real* MAC >>> address, but our DHCP has to serve the *spoofed* MAC address. I know, >>> from trying, that I can't have two entries for the same system. Can anyone >>> suggest a solution? >> >> Nothing wrong with having two MAC addresses listed for one IP. With ISC >> DHCP the label for a host has to be unique, but the hostname doesn't. > > The IP's not the problem, it's dhcpd gagging on two entries, two MAC > addresses, for the same server name - think dhcpd.conf.localWhen I have a machine that can comes with different MAC addresses, and I have to give it the same IP, here is what I have in DHCP server configuration (Mac addresses and IP address are obfuscated below): # tricky machine host tricky { hardware ethernet xx:xx:xx:xx:xx:xx; fixed-address A.B.C.D; } # tricky machine again host tricky1 { hardware ethernet yy:yy:yy:yy:yy:yy; fixed-address A.B.C.D; } # and a bunch of other configs for the same machine The only trouble here will be if both MAC addresses request IP and and are both present, in that case DHCP server will offer that same static IP to the second request from different MAC address as well, but DHCP client (if smart) will check the presence of the IP address on the network already, and will not use that IP if it is already used and will send new request, and this will go on till first hardware stops using that IP address. Those are "tricky", "tricky1", ... labels that John mentioned should be unique, and they are only known to DHCP server. <rant> There are a bunch of Out Of Band management creeps that sit on the first network interface and come up when AC is connected no matter whether the system is up or not. And they come with different MAC address. And these are the ones that you can not assign the same IP as that the machine itself is supposed to have. Sorry about little rant, these creepy things are sysadmin's disaster, - UNIX sysadmin's disaster I meant. Or Windows sysadmin's best friend, I figure. Like in the phrase I'm stealing from one Windows sysadmin whom I respect a lot: "Did you try to power cycle the machine and see if it solves that?" </rant> I hope, this helps. Valeri> > mark > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >-- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev wrote:> > > On 06/08/18 10:27, m.roth at 5-cent.us wrote: >> John Hodrien wrote: >>> On Fri, 8 Jun 2018, m.roth at 5-cent.us wrote: >>> >>>> We've been required to encrypt h/ds, and so have been rolling that out >>>> over the last year or so. Thing is, you need to put in a password, of >>>> course, to boot the system. My manager found a way to allow us to >>>> reboot without being at the system's keyboard, a package called >>>> clevis. Works fine... except in a couple of very special cases. >>>> >>>> Those systems, the problem is that, due to older software, and *very* >>>> expensive licenses that are tied to a MAC address, I have to spoof the >>>> MAC address since my users got new(er) machines. >>>> >>>> Clevis is trying to contact its password server, using the *real* MAC >>>> address, but our DHCP has to serve the *spoofed* MAC address. I know, >>>> from trying, that I can't have two entries for the same system. Can >>>> anyone suggest a solution? >>> >>> Nothing wrong with having two MAC addresses listed for one IP. With >>> ISC DHCP the label for a host has to be unique, but the hostname doesn't. >> >> The IP's not the problem, it's dhcpd gagging on two entries, two MAC >> addresses, for the same server name - think dhcpd.conf.local > > When I have a machine that can comes with different MAC addresses, and I > have to give it the same IP, here is what I have in DHCP server > configuration (Mac addresses and IP address are obfuscated below): > > # tricky machine > host tricky { > hardware ethernet xx:xx:xx:xx:xx:xx; > fixed-address A.B.C.D; > } > > # tricky machine again > host tricky1 { > hardware ethernet yy:yy:yy:yy:yy:yy; > fixed-address A.B.C.D; > } >Hmmm... wonder if it will gag - we don't put the IP in that, that comes from DNS. The format we use is host <host <shortname> P hardware ethernet <MAC address>; fixed-address <fqdn>;} so if it would work, replace shortname with short and short1? mark