dynamic ip ok for NFS/LDAP servers? Network Gurus?

Jack Craig jack.craig.aptos at gmail.com
Fri Nov 30 18:07:14 UTC 2012 

Thx Very Much Rick!!!


On Fri, Nov 30, 2012 at 10:00 AM, Rick Stevens <ricks at alldigital.com> wrote:

> On 11/30/2012 08:35 AM, Jack Craig issued this missive:
>
>  Hi Folks,
>>
>> The following strikes me as wrong, but i am Not  guru,
>> so i thought to ask this forum where the wizards Do Live! :)
>>
>> Pls consider a configuration with a single host providing NFS4
>> /home directories for other hosts in a 6 host cluster. Further,
>> openldap is on the same host to provide for authentication
>> on all 6.
>>
>> the architect says its ok to configure all hosts w/DHCP,
>> but i see the ip changing every day or 2 (many reboots due setup).
>>
>> I am a huge fan of static ip for servers, but what do i know?! :(
>>
>> So, Question, is DHCP ok for the 6 hosts in this config, or go static.
>>
>> More, static on server only maybe?
>>
>
> I am also a fan of static IPs for servers (indeed, anything providing
> a fairly stable service of some kind). That being said, you can have
> a DHCP server hand out a static IP to a machine by using a clause in
> the DHCP config that specifies the MAC address of the machine's NIC and
> the static IP, netmask, gateway and DNS servers you want it to have.
>
> If you tie your DHCP server to your DNS service, whenever a DHCP address
> is handed out it can update your DNS as well. This is probably the best
> configuration to have and gives you more or less a single point of
> control. You also potentially have a single point of failure (unless
> you run redundant DHCP and DNS servers).
>
> With LDAP: If you're worried about the "pam_check_host_attr" directive,
> that's driven by the host name of the client machine (output of the
> "hostname" command)--not its IP address.
>
> If you're worried about the "uri" directives in LDAP, they'll take
> either IPs or hostnames as arguments. Personally, I prefer a static IP
> on LDAP servers and use of the IP address in the "uri" directives in
> case DNS is down or misbehaving. This is really important if the only
> way into a machine is via SSH, you've blocked root logins via SSH and
> use LDAP as an authentication mechanism. We also create a non-root local
> user on all machines (typically "admin") that can "sudo bash -l" in
> case LDAP is down as well.
>
> Keep in mind that we manage about 600 machines in two data centers and
> are just SLIGHTLY paranoid about this sorta thing. We can't always just
> "plug in a console" to get at a machine that's got problems.
> ------------------------------**------------------------------**----------
> - Rick Stevens, Systems Engineer, AllDigital    ricks at alldigital.com -
> - AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
> -                                                                    -
> -      Always remember you're unique, just like everyone else.       -
> ------------------------------**------------------------------**----------
>
> --
> users mailing list
> users at lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.**org/mailman/listinfo/users<https://admin.fedoraproject.org/mailman/listinfo/users>
> Guidelines: http://fedoraproject.org/wiki/**Mailing_list_guidelines<http://fedoraproject.org/wiki/Mailing_list_guidelines>
> Have a question? Ask away: http://ask.fedoraproject.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20121130/aeefb975/attachment.html>

More information about the users mailing list