Skip to main content
Asked a question recently

How do I use the finalize script to transfer certificates to the nodes?

Where am I?

In Bright Computing, Inc. you can ask and answer questions and share your experience with others!

How do I use the finalize script to transfer certificates to the nodes?

In many cases, it might be desired to use node-specific certificates for certain service, e.g.:
- Make the SSH certificates persist through full re-installation.
- Use different Kerberos key tables per node.

The node installer is aready doing something similar when it copies the node's certificate from the NFS share /cm/node-installer/certificates of the head node, to each node.

To do that for any other type of certificate you will need to create a certifcate store directory, e.g. /cm/certificates on the head node or NFS server and export it to the nodes:

$ mkdir /cm/certificates $ cmsh [headnode]% device use headnode [headnode->device[headnode]]% fsexports [headnode->device[headnode]->fsexports]% add /cm/certificates [headnode->device*[headnode*]->fsexports*[/cm/certificates*]]% set hosts internalnet [headnode->device*[headnode*]->fsexports*[/cm/certificates*]]% set write no [headnode->device*[headnode*]->fsexports*[/cm/certificates*]]% commit [headnode->device[headnode]->fsexports[/cm/certificates]]%

You will need to place the node-specific files in a sub-directory under that certificate store directory. The subdirectory is given the name of the node.

E.g.:

  • For node001 create /cm/certificates/node001 and place the certificates within the node001 directory
  • For node002, create /cm/certificates/node002 and place the certificates within the node002 directory.

 and so on.

After that you will need to modify the finalize script for the node's category:

$ cmsh [headnode]% category use default [headnode->category[default]]% set finalizescript (A text editor session will start) [headnode->category[default]]% commit

The finalize script could be:

#!/bin/bash mkdir /tmp/certificates mount master:/cm/certificates /tmp/certificates cp -an /tmp/certificates/$CMD_HOSTNAME/* /localdisk/etc/ssh umount /tmp/certificates rm -rf /tmp/certificates