[Ovirt-devel] Get rid of dns requirements

Daniel P. Berrange berrange at redhat.com
Fri Apr 10 10:25:46 UTC 2009 

On Thu, Apr 09, 2009 at 07:54:35PM -0500, Mike McGrath wrote:
> > However as David says, we absolutely have to have some kind of
> > mechanism for authentication and encryption between the server and the
> > nodes. That can be krb5, or PKI (which I would prefer when it becomes
> > available for us, because anything is better than kerberos), but if we
> > try to do anything else (say, passing around ssh keys) we're going to
> > wind up reimplementing our own certificate management system
> > anyway. So at least for the cluster(s) of machines that are managed by
> > oVirt, working DNS is going to be a hard requirement. We've tried to
> > simplify this as much as possible by providing a DNS server for the
> > admin network with the install.
> >
> > I am, as always, open to suggestions for other ways to simplify
> > things...
> >
> 
> Forward dns is an obvious need, well not really one could use IP's.  But
> lots of systems (puppet from my example earlier) do not have that hard
> requirement.  I guess if I had to compare it to a competitor like
> enomalism which does not have such a requirement.  Why do we have it and
> what does it give us that enomalism is missing out on.

The DNS requirement is not a requirement of oVirt per-se, but of the
underlying authentication / encryption technology. If using Kerberos
you need to have forward & reverse DNS working, and make sure that
matches the hostname as seen by the OS.  If using SSL with x509 certs
you can use IP addresses, but you have to be consistent. Either use
IP addresses all the time, or use hostnames all the time. You can't
mix use of IP addresses and hostnames, because then the certificate
CNAME checks will fail.  x509 is more forgiving about lack of reverse
DNS than kerberos, so its not critical in that instance.

Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the ovirt-devel mailing list