[Ovirt-devel] Get rid of dns requirements
Hugh O. Brock
hbrock at redhat.com
Thu Apr 9 21:55:52 UTC 2009
On Thu, Apr 09, 2009 at 07:57:29PM +0000, David Lutterkort wrote:
> On Thu, 2009-04-09 at 11:33 -0500, Mike McGrath wrote:
> > So my first suggestion, get rid of the dns requirements.
>
> Just to be clear: with DNS requirements you mean the need for those SRV
> records, right ? That can indeed be avoided by looking up 'ovirt' or
> whatever in the default domain.
>
> Working forward and reverse DNS for the server and the nodes will always
> be a requirement, since both krb5 and any other auth mechanism (say
> x509) would need that.
Yeah Mike I have a ton of sympathy here and I really want to make it
as simple as possible to set things up. Maybe defaults in the absence
of SRV records is a good way to go.
However as David says, we absolutely have to have some kind of
mechanism for authentication and encryption between the server and the
nodes. That can be krb5, or PKI (which I would prefer when it becomes
available for us, because anything is better than kerberos), but if we
try to do anything else (say, passing around ssh keys) we're going to
wind up reimplementing our own certificate management system
anyway. So at least for the cluster(s) of machines that are managed by
oVirt, working DNS is going to be a hard requirement. We've tried to
simplify this as much as possible by providing a DNS server for the
admin network with the install.
I am, as always, open to suggestions for other ways to simplify
things...
Take care,
--Hugh
More information about the ovirt-devel
mailing list