search

aws / amazon-ssm-agent

An agent to enable remote management of your EC2 instances, on-premises servers, or virtual machines (VMs).
https://aws.amazon.com/systems-manager/
Apache License 2.0
1.04k stars 323 forks source link

aws_domainjoin.sh (Linux Seamless Domain Join) is not safely re-runnable #349

Closed stuhay closed 3 years ago

stuhay commented 3 years ago

The script aws_domainjoin.sh is not 100% re-runnable.

It correctly determines that the domain is already joined and exists gracefully, but this is after it generates a new hostname and updates the operating system. This results in different hostname on the server to the machine name in Active Directory.

The following added to the set_hostname() function to be re-runnable: 

    INSTANCE_NAME=$(hostname --short) 2>/dev/null

    # Keep COMPUTER_NAME is lowercase - allows for reuse of INSTANCE_NAME if it complies with AD naming convention
    typeset -l COMPUTER_NAME

    # Only generate new COMPUTER_NAME if INSTANCE_NAME doesn't already follow the format EC2AMAZ-
    # This makes this re-runnable
    echo ${INSTANCE_NAME} |  grep -qi 'EC2AMAZ-'
    if [ $? -eq 0 ]; then
        COMPUTER_NAME=${INSTANCE_NAME}
        return
    fi

We are hitting this problem because due to some odd setup we have a situation where the same instance has more than one SsmAssociation for domainJoin (the second is added when the instance joins a AutoScaling group and gets a new tag which is auto-associated).

smhmhmd commented 3 years ago

Hi @stuhay

Your suggestion is valid. I suppose, the change can check for domain join status instead of string comparison.

Also, please take a look at https://github.com/aws/amazon-ssm-agent/blob/mainline/agent/plugins/domainjoin/domainjoin_unix_script.go#L629

  if [ -z $KEEP_HOSTNAME ]; then
     set_hostname
  fi

This option is available only if the SSM Document AWS-JoinDirectoryServiceDomain adds an option.

stuhay commented 3 years ago

Hi @smhmhmd

I agree, a check early on to see whether the domain has already been joined is more elegant.

The KEEP-HOSTNAME won't currently work for us as the DHCP option set gives an ugly (and probably non-compliant) initial name. We still wish to use the name provided by the plugin, we just don't want it to change if the plugin runs again for any reason.

stuhay commented 3 years ago

Pull Request created https://github.com/aws/amazon-ssm-agent/pull/351