dynamic ip ok for NFS/LDAP servers? Network Gurus?

Rick Stevens ricks at alldigital.com
Fri Nov 30 18:00:10 UTC 2012 

On 11/30/2012 08:35 AM, Jack Craig issued this missive:
> Hi Folks,
>
> The following strikes me as wrong, but i am Not  guru,
> so i thought to ask this forum where the wizards Do Live! :)
>
> Pls consider a configuration with a single host providing NFS4
> /home directories for other hosts in a 6 host cluster. Further,
> openldap is on the same host to provide for authentication
> on all 6.
>
> the architect says its ok to configure all hosts w/DHCP,
> but i see the ip changing every day or 2 (many reboots due setup).
>
> I am a huge fan of static ip for servers, but what do i know?! :(
>
> So, Question, is DHCP ok for the 6 hosts in this config, or go static.
>
> More, static on server only maybe?

I am also a fan of static IPs for servers (indeed, anything providing
a fairly stable service of some kind). That being said, you can have
a DHCP server hand out a static IP to a machine by using a clause in
the DHCP config that specifies the MAC address of the machine's NIC and
the static IP, netmask, gateway and DNS servers you want it to have.

If you tie your DHCP server to your DNS service, whenever a DHCP address
is handed out it can update your DNS as well. This is probably the best
configuration to have and gives you more or less a single point of
control. You also potentially have a single point of failure (unless
you run redundant DHCP and DNS servers).

With LDAP: If you're worried about the "pam_check_host_attr" directive,
that's driven by the host name of the client machine (output of the
"hostname" command)--not its IP address.

If you're worried about the "uri" directives in LDAP, they'll take
either IPs or hostnames as arguments. Personally, I prefer a static IP
on LDAP servers and use of the IP address in the "uri" directives in
case DNS is down or misbehaving. This is really important if the only
way into a machine is via SSH, you've blocked root logins via SSH and
use LDAP as an authentication mechanism. We also create a non-root local
user on all machines (typically "admin") that can "sudo bash -l" in
case LDAP is down as well.

Keep in mind that we manage about 600 machines in two data centers and
are just SLIGHTLY paranoid about this sorta thing. We can't always just
"plug in a console" to get at a machine that's got problems.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    ricks at alldigital.com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-      Always remember you're unique, just like everyone else.       -
----------------------------------------------------------------------

More information about the users mailing list