Yes, it's up to you which way you create your ssh privileges but at least 1 node must be able to push to other nodes via SSH (or lesser secure protocol, o.O) to get GPFS working as far as I know from 4.x experience, maybe things have changed with 5.x.
Once we got away from root ssh we were able to pass muster with security... Least of our problems from compliance perspective and that's saying a lot in our environment. Web interface via REST is more modern, but would actually give us more issues with currency and known issues, certificate management, etc. Less is more. Only wish with GPFS is that management understood how much money you save, and performance/efficiency you get, by right sizing the IO to CPU, and seems to me all these years later GPFS is the only real solution to get disk I/O to match the Computer throughout. Oh and maybe IBM would give up and change the name back to GPFS. Thanks to all the work in the community, and IBM for this amazing product. On Mon, Jul 21, 2025, 2:54 PM Steve Daniels <[email protected]> wrote: > Agree. > > There are three different methods (two really) of allowing internode > communications for the ssh commanding. > > Centralized management where select nodes have one way root passwordless > ssh access to all of the rest of the nodes and n-to-n where all nodes have > access to all other nodes via passwordless ssh. > > I believe to JAB's point that the centralized is more common in 2025 and > mmdsh adheres to either situation. > > Then we have ssh sudo wrappers which leverage sudo to provide an effective > Scale manager user but underlying this is still passwordless ssh (just not > the root user). > > Steven A. Daniels > > Fax and Voice: 303-810-1229 > > > ------------------------------ > *From:* gpfsug-discuss <[email protected]> on behalf of > Ryan Novosielski <[email protected]> > *Sent:* Monday, July 21, 2025 12:46 PM > *To:* gpfsug main discussion list <[email protected]> > *Cc:* [email protected] <[email protected]> > *Subject:* [EXTERNAL] Re: [gpfsug-discuss] mmdsh rest api command > > To my knowledge, this hasn’t been true for a while, and as a matter of > fact, that is not the way we have our environment configured. > > There are nodes that do require access to all other nodes, but the same is > not true in the other direction, and I believe there is some limited > connectivity SSH that the nodes have between each other that is required > for GPFS, controlled by what the keys are allowed to do. > > It does somewhat negatively interact with mmnetverify, but so far this is > the only downside I’ve seen. > > There’s a section on it in the manual. We implemented it probably a couple > of years ago now, but it has been there since sometime early in 5.x, IIRC. > > I guess we’ve gotten a bit off topic here though. Is there a reason to > switch away from SSH itself that I’m not aware of? I certainly don’t mind > more configuration options, even if I wouldn’t likely use them. > > Sent from my iPhone > > > On Jul 21, 2025, at 14:11, Jonathan Buzzard < > [email protected]> wrote: > > > > [SNIP] > > > >> Aren't xcat, pdsh, etc, based on passwordless root ssh as well? If > >> so, they don't solve my clients issues. I don't see them as better > >> than mmdsh just different authors of the same type of tool. > >> > > Currently GPFS requires all nodes to be able to SSH onto all other nodes > as root without a password. Noting at the moment the native RestAPI is an > experimental feature. > > > > This root level access across the entire system in a many to many > fashion has always been an security issue. This is especially true in an > HPC environment were end users get to log onto nodes that are part of a > GPFS cluster. If anyone gets root on any node on the system then its game > over. > > > > JAB. > _______________________________________________ > gpfsug-discuss mailing list > gpfsug-discuss at gpfsug.org > > https://urldefense.proofpoint.com/v2/url?u=http-3A__gpfsug.org_mailman_listinfo_gpfsug-2Ddiscuss-5Fgpfsug.org&d=DwIGaQ&c=BSDicqBQBDjDI9RkVyTcHQ&r=poV0PwVYTQCODtr5Roh1IeohBrObo4EP_Tx9IkCIbHo&m=qb84pFD2OGyNw2_770L1Ddg0HkNFST8YS0o-H3kVc_O8OJW_cMlSuVhfoC1iDNUp&s=XNqx3vVFU6sb7lud9KgKja-VTd6BQuapYlV8R-MJ6Zw&e= > <http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org> > _______________________________________________ > gpfsug-discuss mailing list > gpfsug-discuss at gpfsug.org > http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org >
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at gpfsug.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org
