Agree. There are three different methods (two really) of allowing internode communications for the ssh commanding.
Centralized management where select nodes have one way root passwordless ssh access to all of the rest of the nodes and n-to-n where all nodes have access to all other nodes via passwordless ssh. I believe to JAB's point that the centralized is more common in 2025 and mmdsh adheres to either situation. Then we have ssh sudo wrappers which leverage sudo to provide an effective Scale manager user but underlying this is still passwordless ssh (just not the root user). Steven A. Daniels Fax and Voice: 303-810-1229 ________________________________ From: gpfsug-discuss <[email protected]> on behalf of Ryan Novosielski <[email protected]> Sent: Monday, July 21, 2025 12:46 PM To: gpfsug main discussion list <[email protected]> Cc: [email protected] <[email protected]> Subject: [EXTERNAL] Re: [gpfsug-discuss] mmdsh rest api command To my knowledge, this hasn’t been true for a while, and as a matter of fact, that is not the way we have our environment configured. There are nodes that do require access to all other nodes, but the same is not true in the other direction, and I believe there is some limited connectivity SSH that the nodes have between each other that is required for GPFS, controlled by what the keys are allowed to do. It does somewhat negatively interact with mmnetverify, but so far this is the only downside I’ve seen. There’s a section on it in the manual. We implemented it probably a couple of years ago now, but it has been there since sometime early in 5.x, IIRC. I guess we’ve gotten a bit off topic here though. Is there a reason to switch away from SSH itself that I’m not aware of? I certainly don’t mind more configuration options, even if I wouldn’t likely use them. Sent from my iPhone > On Jul 21, 2025, at 14:11, Jonathan Buzzard <[email protected]> > wrote: > > [SNIP] > >> Aren't xcat, pdsh, etc, based on passwordless root ssh as well? If >> so, they don't solve my clients issues. I don't see them as better >> than mmdsh just different authors of the same type of tool. >> > Currently GPFS requires all nodes to be able to SSH onto all other nodes as > root without a password. Noting at the moment the native RestAPI is an > experimental feature. > > This root level access across the entire system in a many to many fashion has > always been an security issue. This is especially true in an HPC environment > were end users get to log onto nodes that are part of a GPFS cluster. If > anyone gets root on any node on the system then its game over. > > JAB. _______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at gpfsug.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at gpfsug.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org
