[gpfsug-discuss] mmdsh rest api command
Jonathan Buzzard
jonathan.buzzard at strath.ac.uk
Mon Jul 21 19:08:10 BST 2025
[SNIP]
>
> Aren't xcat, pdsh, etc, based on passwordless root ssh as well? If
> so, they don't solve my clients issues. I don't see them as better
> than mmdsh just different authors of the same type of tool.
>
Currently GPFS requires all nodes to be able to SSH onto all other nodes
as root without a password. Noting at the moment the native RestAPI is
an experimental feature.
This root level access across the entire system in a many to many
fashion has always been an security issue. This is especially true in an
HPC environment were end users get to log onto nodes that are part of a
GPFS cluster. If anyone gets root on any node on the system then its
game over.
The likes of xdsh and pdsh allow *designated* nodes to be able to SSH
onto other nodes without a password in a one to many fashion. That is
fundamentally different to mmdsh. Further you can configure them to need
an SSH key which is secured with a passphrase for additional security.
Basically in this sort of scenario with xdsh/pdsh etc. only running on
highly protected nodes with limited access you have substantially
enhanced your security over mmdsh and why mmdsh's continued existence is
not only not required but not desirable IMHO.
There is also no need for the host running xdsh/pdsh etc. to be part of
the GPFS cluster.
That does mean some people relying on mmdsh will have to change how they
work. However continuing with bad practice when other more secure
options exist is IMHO unprofessional at best and give the current cyber
security environment frankly down right negligent.
JAB.
--
Jonathan A. Buzzard Tel: +44141-5483420
HPC System Administrator, ARCHIE-WeSt.
University of Strathclyde, John Anderson Building, Glasgow. G4 0NG
More information about the gpfsug-discuss
mailing list