[Engine-devel] [vdsm] [node-devel] Support for stateless nodes

Ayal Baron abaron at redhat.com
Mon Feb 27 10:06:12 UTC 2012 


----- Original Message -----
> Perry Myers píše v St 22. 02. 2012 v 11:54 -0500:
> > >> As answered in the other response, there are kernel command line
> > >> parameters to set the management_server.  Since this will likely
> > >> be in a
> > >> pxe environment, setting the pxe profile to include
> > >> management_server=<engine_url> should be fine.
> > >>
> > > I agree it's a valid solution as long as you assume this is
> > > relevant
> > > for PXE only use case.
> > 
> > Not necessarily...
> > 
> > Take the ISO/USB Stick and you can embed the kargs into the ISO/USB
> > itself so that it always boots with that mgmt server arg
> > 
> > This actually also enables use of 'stateless' combined with static
> > IP
> > addressing as well.  As you can create a USB Stick and embed the
> > kargs
> > for the NIC configuration, rsyslog config, etc, etc.
> > 
> > >> Another solution could be to setup a specific DNS SRV record
> > >> that points
> > >> to the ovirt-engine and have node automatically query that for
> > >> the
> > >> location.
> > > This was discussed in the past and for some reason not
> > > implemented.
> > 
> > Concerns about security, iirc.  Assumption that someone could
> > hijack the
> > DNS SRV record and provide a man-in-the-middle oVirt Engine server.
> > 
> 
> What about DNSSEC validation for DNS records in node?

This will require more than just changes to the registration process and it's quite difficult to track the required changes here on email.  Let's setup a call to discuss this and try to capture the list of issues we already know about (I'm sure we'll discover more once we actually try to do this).

To play devil's advocate though, I know there is interest, but I really don't understand the incentive.
What is the *problem* you're trying to solve here (stateless is a solution)

> 
> David
> 
> > If you're paranoid about security, don't use DNS SRV of course,
> > instead
> > use hardcoded kargs as described above.  But for some DNS SRV might
> > be
> > an ok option
> > _______________________________________________
> > Engine-devel mailing list
> > Engine-devel at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/engine-devel
> 
> --
> 
> David Jaša, RHCE
> 
> SPICE QE based in Brno
> GPG Key:     22C33E24
> Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
> 
> 
> 
> _______________________________________________
> vdsm-devel mailing list
> vdsm-devel at lists.fedorahosted.org
> https://fedorahosted.org/mailman/listinfo/vdsm-devel
>

More information about the Engine-devel mailing list