First you will need to generate a strong password as follows:
[root@kerndev ~]# /sbin/grub-md5-cryptPassword:Retype password:$1$BaV5k1$02kE6BCxzGRyByx.RWHEd1[root@kerndev ~]#
For the headnode:
Edit /etc/grub.conf password -md5 <hash> below the timeout line:
[root@kerndev ~]# cat /etc/grub.confdefault 0timeout 8 password -md5 $1$BaV5k1$02kE6BCxzGRyByx.RWHEd1 ...
For the nodes:
You will need to perform the change above in /cm/images/<software image>/etc/grub.conf as well as /tftpboot/cm-images/<software image>/grub/grub.conf
You need to carry out this change in all the software images that are been used as well as the default software image as defined in the base partition, since this is the image that is used to boot nodes whose MAC address is not known to CMDaemon:
[kerndev]% partition use base[kerndev->partition[base]]% get defaultsoftwareimagerhel6-image[kerndev->partition[base]]%
To prevent new, unidentified nodes from being able to receive DHCP leases from the headnode you can enable the lockdowndhcp option for the relevant network:
[root@kerndev ~]# cmsh[kerndev]% network[kerndev->network]% use internalnet[kerndev->network[internalnet]]% set lockdowndhcpd yes[kerndev->network*[internalnet*]]% commit