Categories

ID #1235

How do I use the finalize script to transfer certificates to the nodes?

How do I use the finalize script to transfer certificates to the nodes?

 

In many cases, it might be desired to use node-specific certificates for certain service, e.g.:

 

- Make the SSH certificates persist through full re-installation.

- Use different Kerberos key tables per node.

 

The node installer is aready doing something similar when it copies the node's certificate from the NFS share /cm/node-installer/certificates of the head node, to each node.

 

To do that for any other type of certificate you will need to create a certifcate store directory, e.g. /cm/certificates on the head node or NFS server and export it to the nodes:

 

$ mkdir /cm/certificates
$ cmsh
[headnode]% device use headnode
[headnode->device[headnode]]% fsexports
[headnode->device[headnode]->fsexports]% add /cm/certificates
[headnode->device*[headnode*]->fsexports*[/cm/certificates*]]% set hosts internalnet
[headnode->device*[headnode*]->fsexports*[/cm/certificates*]]% set write no
[headnode->device*[headnode*]->fsexports*[/cm/certificates*]]% commit
[headnode->device[headnode]->fsexports[/cm/certificates]]%

 

You will need to place the node-specific files in a sub-directory under that certificate store directory. The subdirectory is given the name of the node.

 

Eg:

  • For node001 create /cm/certificates/node001 and place the certificates within the node001 directory
  • For node002, create /cm/certificates/node002 and place the certificates within the node002 directory.

 and so on.

 

After that you will need to modify the finalize script for the node's category:

 

$ cmsh
[headnode]% category use default
[headnode->category[default]]% set finalizescript
(A text editor session will start)
[headnode->category[default]]% commit

 

The finalize script could be:

 

#!/bin/bash

mkdir /tmp/certificates
mount master:/cm/certificates /tmp/certificates
cp -an /tmp/certificates/$CMD_HOSTNAME/* /localdisk/etc/ssh
umount /tmp/certificates
rm -rf /tmp/certificates

 

Tags: -

Related entries:

You cannot comment on this entry