As Christopher notes, it is an additional attack surface. Also I would like to not have to worry about an additional named instance running in my network which I am not using. If it is not currently possible to prevent the local named daemon on the MN from starting when makedns is run, can that behavior be changed in a future xCAT version if you want an external master only?
I'm still curious as to whether the /var/named/ directory would have any zone files locally on the MN in the case where named is running locally but you are pushing updates to an external DNS server, or whether it only pushes zone entries out to the DNS server specified with 'makedns -e' (as it should). -Josh On Mon, Mar 31, 2014 at 8:17 PM, Xiao Peng Wang <w...@cn.ibm.com> wrote: > Enable the local DNS on xCAT MN does not hurt anything except the > cpu/memory to run makedns in your case, right? > > > Thanks > Best Regards > ---------------------------------------------------------------------- > Wang Xiaopeng (王晓朋) > IBM China System Technology Laboratory > Tel: 86-10-82453455 > Email: w...@cn.ibm.com > Address: 28,ZhongGuanCun Software Park,No.8 Dong Bei Wang West Road, > Haidian District Beijing P.R.China 100193 > > [image: Inactive hide details for Josh Nielsen ---2014/04/01 > 00:00:13--->"By default, makedns sets up the named service and updates > the]Josh > Nielsen ---2014/04/01 00:00:13--->"By default, makedns sets up the named > service and updates the DNS records on the local system (man > > From: Josh Nielsen <jniel...@hudsonalpha.org> > To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net>, > sam...@unimelb.edu.au, > Date: 2014/04/01 00:00 > Subject: Re: [xcat-user] Makedns wiping out DNS records > ------------------------------ > > > > >"By default, makedns sets up the named service and updates the DNS > records on the local system (management node). If the -e flag is specified, > it will also update the DNS records on any external DNS server that is > listed in the /etc/resolv.conf on the management node." > > Interesting, so even if I use an external DNS server I can't "get rid > of/turn off" the DNS service on the MN? I suppose I could do a 'chkconfig > named off' but makedns starts the named daemon anyway when you run it (I > think). I want to make the external server the sole Master DNS server, and > every other server its slave (I have only two other slave DNS servers, > which are my Service Nodes). > > I'm in the same boat as Christopher who noted "One kink I think we've > noticed there is that even with makedns -e xCAT seems to start up bind on > the local system which isn't what we want at all." I also would prefer the > local BIND/named daemon to not start at all, and rather make the external > DNS the sole master. However, as you indicated makedns by default (which > I'm assuming is a behavior that can't be changed [yet]?) sets up the local > named service when it is run. Can xCAT be modified to accommodate the > "external only master" scenario? > > Regards, > Josh Nielsen > > > On Thu, Mar 27, 2014 at 12:38 PM, Lissa Valletta > <*lis...@us.ibm.com*<lis...@us.ibm.com>> > wrote: > > It is saying if your site has an external name server and you want > to use it , you need to add that external name server into the > /etc/resolv.conf file. You also have to add the correct nameservers in > the site table before you run makedns. This is the manual part. > chdef -t site nameservers=50.1.2.254 for example. > > The makedns -e will take the external nameservers that you have > listed in /etc/resolv.conf and update their DNS records, assuming you have > the authority to change that server. > From man makedns > > By default, makedns sets up the named service and updates the DNS > records on the local system > (management node). If the -e flag is specified, it will also > update the DNS records on any > external DNS server that is listed in the /etc/resolv.conf on > the management node. (Assuming the > external DNS server can recognize the xCAT key as > authentication.) > > > Lissa K. Valletta > 8-3/B10 > Poughkeepsie, NY 12601 > (tie 293) 433-3102 > > > > [image: Inactive hide details for Josh Nielsen ---03/26/2014 03:15:37 > PM---Sorry to revive this, but I have a question about external D]Josh > Nielsen ---03/26/2014 03:15:37 PM---Sorry to revive this, but I have a > question about external DNS since I am thinking of trying it now. > > From: Josh Nielsen <*jniel...@hudsonalpha.org*<jniel...@hudsonalpha.org> > > > To: xCAT Users Mailing list > <*xcat-user@lists.sourceforge.net*<xcat-user@lists.sourceforge.net>>, > > Date: 03/26/2014 03:15 PM > Subject: Re: [xcat-user] Makedns wiping out DNS records > ------------------------------ > > > > Sorry to revive this, but I have a question about external DNS since I > am thinking of trying it now. > > On the Cluster Name Resolution wiki page ( > > *http://sourceforge.net/apps/mediawiki/xcat/index.php?title=Cluster_Name_Resolution*<http://sourceforge.net/apps/mediawiki/xcat/index.php?title=Cluster_Name_Resolution>) > under 'Option #2: Use a DNS That is Outside of the Cluster' it says: "If > you already have a DNS on your site network and you want to use that for > your cluster node names too, you can point all of the nodes to it. You must > ensure that your nodes have IP connectivity to the DNS, and you must > manually configure your DNS with the node hostnames and IP addresses." > > What does it mean that "you must manually configure" the hostnames and > IP addresses? Does 'makedns -e' not do that for you, just like it would if > DNS were running locally on the MN itself by just parsing /etc/hosts and > adding/pushing it to the (remote) DNS zone files for you? > > In my case I may even be migrating my existing DNS zone files and > "/etc/named.conf" config onto a new VM and bring up DNS there and just add > any new hosts. But I would be surprised if makedns -e doesn't add the > hostnames and IPs for you. Can anyone who has used the external DNS option > with xCAT speak to that? > > Thanks, > Josh > > > On Thu, Jan 16, 2014 at 5:13 PM, Christopher Samuel < > *sam...@unimelb.edu.au* <sam...@unimelb.edu.au>> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 17/01/14 04:00, Josh Nielsen wrote: > > > If it just something with our installation or does makedns do this > > foe other people as well? > > FWIW we do not run DNS on the management nodes at all, we have 4 > separate xCAT built clusters (3 HPC clusters and 1 for our GPFS/TSM > infrastructure and our BG/Q service and front ends) and so to let > them > all populate DNS with a single, consistent view we have two external > DNS servers that they all send updates to with "makedns -e". > > One kink I think we've noticed there is that even with makedns -e > xCAT > seems to start up bind on the local system which isn't what we want > at > all. > > Good luck! > Chris > - -- > Christopher Samuel Senior Systems Administrator > VLSCI - Victorian Life Sciences Computation Initiative > Email: *sam...@unimelb.edu.au* <sam...@unimelb.edu.au> Phone: *+61 > (0)3 903 55545* <%2B61%20%280%293%20903%2055545> > *http://www.vlsci.org.au/* <http://www.vlsci.org.au/> > *http://twitter.com/vlsci* <http://twitter.com/vlsci> > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.14 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - > *http://www.enigmail.net/*<http://www.enigmail.net/> > > iEYEARECAAYFAlLYZ4sACgkQO2KABBYQAh8pwACfSEi4RePX5F2hG5E1AtrAdy77 > PtMAni1KEwsOM/az4z0U7o4aZZOEuO/+ > =fPWd > -----END PGP SIGNATURE----- > > > > ------------------------------------------------------------------------------ > CenturyLink Cloud: The Leader in Enterprise Cloud Services. > Learn Why More Businesses Are Choosing CenturyLink Cloud For > Critical Workloads, Development Environments & Everything In > Between. > Get a Quote or Start a Free Trial Today. > > > *http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk*<http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk> > _______________________________________________ > xCAT-user mailing list > *xCAT-user@lists.sourceforge.net* <xCAT-user@lists.sourceforge.net> > *https://lists.sourceforge.net/lists/listinfo/xcat-user*<https://lists.sourceforge.net/lists/listinfo/xcat-user> > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and > their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > *http://p.sf.net/sfu/13534_NeoTech* <http://p.sf.net/sfu/13534_NeoTech> > _______________________________________________ > xCAT-user mailing list > *xCAT-user@lists.sourceforge.net* <xCAT-user@lists.sourceforge.net> > *https://lists.sourceforge.net/lists/listinfo/xcat-user*<https://lists.sourceforge.net/lists/listinfo/xcat-user> > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > xCAT-user mailing list > *xCAT-user@lists.sourceforge.net* <xCAT-user@lists.sourceforge.net> > *https://lists.sourceforge.net/lists/listinfo/xcat-user*<https://lists.sourceforge.net/lists/listinfo/xcat-user> > > > ------------------------------------------------------------------------------ > _______________________________________________ > xCAT-user mailing list > xCAT-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xcat-user > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > xCAT-user mailing list > xCAT-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xcat-user > >
<<inline: graycol.gif>>
------------------------------------------------------------------------------
_______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
