FYI, in 2.8 it may be plausible to close off 'xcati', it is at least now supported in 2.8 tree to disable the service. We also might be able to lock down policy table a bit more tightly on some directives. If you wanted a truly DHCP and tftp-free environment, there exists a solution that uses remote media (if available) to kick off network install with static ip injection, but it isn't in main project now and is a little special case. If there is interest in making it a more generalized capability, we might pursue it later. In this case, we support https instead of http for a lot of deployment.
From: Christian Caruthers/Richmond/IBM@IBMUS To: [email protected], Date: 07/11/2012 11:07 PM Subject: [xcat-user] Firewall ports for xCAT We have an existing iDataPlex cluster, and we're adding 2 more racks. One of the systems in the new racks will be a service node, but the new hardware, including the new SN, is on a different subnet. The compute nodes in the new racks will be netbooting, and their images will need to be built on the SN since the MN is running an older version of RH than they want on the new hardware. They don't want the SN running a DHCP server if we can avoid it. All we're looking to have the MN do is handle DHCP and ipmi (r-tools, console). That said, is it safe to say a minimal list of ports to open up on the firewall between the two racks would be as follows: xcatd xcati dhcp dhcpc ipmi pxe postgresql (this wasn't listed on the wiki) conserver rpc-mount Have I missed anything? The plan is that the compute nodes will netboot off the SN, but the initial PXE/DHCP communication will be handled by the MN. Admin tools like rpower & rcons will be handled on the MN. We're not doing node discovery (MACs have been manually collected) and DNS is handled by their servers. Regards, Christian D. Caruthers Senior Consultant - System x Linux HPC 2D barcode - Mobile: 1-757-289-9872 | Phone: 1-804-327-4559 IBM encoded with E-mail: [email protected] contact Find me on: LinkedIn: http://www.linkedin.com/profile/view?id=14378571&trk=tab_pro 9201 Arboretum information "A common mistake that people make when trying to design something completely foolproof is to Pkwy underestimate the ingenuity of complete fools." - Douglas Adams Richmond, VA 23236-5402 United States ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ xCAT-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/xcat-user
<<inline: graycol.gif>>
<<inline: 32133133.jpg>>
<<inline: 32996798.jpg>>
<<inline: 32426143.gif>>
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ xCAT-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/xcat-user
