How do I use the finalize script to transfer certificates to the nodes?
In many cases, it might be desired to use node-specific certificates for certain service, e.g.:
- Make the SSH certificates persist through full re-installation.
- Use different Kerberos key tables per node.
The node installer is aready doing something similar when it copies the node's certificate from the NFS share /cm/node-installer/certificates of the head node, to each node.
To do that for any other type of certificate you will need to create a certifcate store directory, e.g. /cm/certificates on the head node or NFS server and export it to the nodes:
$ mkdir /cm/certificates
[headnode]% device use headnode
[headnode->device[headnode]->fsexports]% add /cm/certificates
[headnode->device*[headnode*]->fsexports*[/cm/certificates*]]% set hosts internalnet
[headnode->device*[headnode*]->fsexports*[/cm/certificates*]]% set write no
You will need to place the node-specific files in a sub-directory under that certificate store directory. The subdirectory is given the name of the node.
- For node001 create /cm/certificates/node001 and place the certificates within the node001 directory
- For node002, create /cm/certificates/node002 and place the certificates within the node002 directory.
and so on.
After that you will need to modify the finalize script for the node's category:
[headnode]% category use default
[headnode->category[default]]% set finalizescript
(A text editor session will start)
The finalize script could be:
mount master:/cm/certificates /tmp/certificates
cp -an /tmp/certificates/$CMD_HOSTNAME/* /localdisk/etc/ssh
rm -rf /tmp/certificates