forked from aws/aws-parallelcluster-cookbook
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[develop] Add custom munge key rotation script (aws#2453)
* Munge key rotation * Refined the rotation script
- Loading branch information
Showing
3 changed files
with
99 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
69 changes: 69 additions & 0 deletions
69
...books/aws-parallelcluster-slurm/templates/default/slurm/head_node/update_munge_key.sh.erb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| #!/bin/bash | ||
| # This script updates the munge key used in the system. | ||
| # It fetches the key from AWS Secrets Manager or generates one if it doesn't exist. | ||
| # The script does not require any argument. | ||
| # | ||
| # Usage: ./update_munge_key.sh | ||
| # # | ||
|
|
||
| set -e | ||
|
|
||
| MUNGE_KEY_FILE="/etc/munge/munge.key" | ||
| SECRET_ARN="<%= @munge_key_secret_arn %>" | ||
| REGION="<%= @region %>" | ||
| MUNGE_USER="<%= @munge_user %>" | ||
| MUNGE_GROUP="<%= @munge_group %>" | ||
| CLUSTER_USER="<%= @cluster_user %>" | ||
|
|
||
| # If SECRET_ARN is provided, fetch the munge key from Secrets Manager | ||
| if [ -n "${SECRET_ARN}" ]; then | ||
| echo "Fetching munge key from AWS Secrets Manager: ${SECRET_ARN}" | ||
| encoded_key=$(aws secretsmanager get-secret-value --secret-id ${SECRET_ARN} --query 'SecretString' --output text --region ${REGION}) | ||
|
|
||
| if [ -z "${encoded_key}" ]; then | ||
| echo "Error fetching munge key from Secrets Manager or the key is empty" | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Decode munge key and write to munge.key file | ||
| decoded_key=$(echo $encoded_key | base64 -d) | ||
| if [ $? -ne 0 ]; then | ||
| echo "Error decoding the munge key with base64" | ||
| exit 1 | ||
| fi | ||
|
|
||
| echo "${decoded_key}" > ${MUNGE_KEY_FILE} | ||
|
|
||
| # Set ownership on the key | ||
| chown ${MUNGE_USER}:${MUNGE_GROUP} ${MUNGE_KEY_FILE} | ||
| # Enforce correct permission on the key | ||
| chmod 0600 ${MUNGE_KEY_FILE} | ||
|
|
||
| else | ||
| echo "MUNGE KEY SECRET ARN isn't provided" | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Enable and restart munge service | ||
| systemctl enable munge | ||
| echo "Restarting munge service" | ||
| systemctl restart munge | ||
|
|
||
| # Wait for a short period | ||
| sleep 5 | ||
|
|
||
| # Check if munge service is running | ||
| if systemctl --quiet is-active munge; then | ||
| echo "Munge service is active" | ||
| else | ||
| echo "Failed to restart munge service" | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Share munge key | ||
| echo "Sharing munge key" | ||
| mkdir -p /home/${CLUSTER_USER}/.munge | ||
| cp /etc/munge/munge.key /home/${CLUSTER_USER}/.munge/.munge.key | ||
| echo "Shared munge key" | ||
|
|
||
| exit 0 |