How do I use the finalize script to transfer certificates to the nodes?
In many cases, it might be desired to use node-specific certificates for certain service, e.g.:
- Make the SSH certificates persist through full re-installation.
- Use different Kerberos key tables per node.
The node installer is aready doing something similar when it copies the node's certificate from the NFS share /cm/node-installer/certificates of the head node, to each node.
To do that for any other type of certificate you will need to create a certifcate store directory, e.g. /cm/certificates on the head node or NFS server and export it to the nodes:
$ mkdir /cm/certificates $ cmsh [headnode]% device use headnode [headnode->device[headnode]]% fsexports [headnode->device[headnode]->fsexports]% add /cm/certificates [headnode->device*[headnode*]->fsexports*[/cm/certificates*]]% set hosts internalnet [headnode->device*[headnode*]->fsexports*[/cm/certificates*]]% set write no [headnode->device*[headnode*]->fsexports*[/cm/certificates*]]% commit [headnode->device[headnode]->fsexports[/cm/certificates]]%
You will need to place the node-specific files in a sub-directory under that certificate store directory. The subdirectory is given the name of the node.
- For node001 create /cm/certificates/node001 and place the certificates within the node001 directory
- For node002, create /cm/certificates/node002 and place the certificates within the node002 directory.
and so on.
After that you will need to modify the finalize script for the node's category:
$ cmsh [headnode]% category use default [headnode->category[default]]% set finalizescript (A text editor session will start) [headnode->category[default]]% commit
The finalize script could be:
#!/bin/bash mkdir /tmp/certificates mount master:/cm/certificates /tmp/certificates cp -an /tmp/certificates/$CMD_HOSTNAME/* /localdisk/etc/ssh umount /tmp/certificates rm -rf /tmp/certificates