[gpfsug-discuss] mmdsh rest api command

[Jonathan Buzzard]

[SNIP]

> 
> Aren't xcat, pdsh, etc, based on passwordless root ssh as well? If
> so, they don't solve my clients issues. I don't see them as better
> than mmdsh just different authors of the same type of tool.
>
Currently GPFS requires all nodes to be able to SSH onto all other nodes 
as root without a password. Noting at the moment the native RestAPI is 
an experimental feature.

This root level access across the entire system in a many to many 
fashion has always been an security issue. This is especially true in an 
HPC environment were end users get to log onto nodes that are part of a 
GPFS cluster. If anyone gets root on any node on the system then its 
game over.

The likes of xdsh and pdsh allow *designated* nodes to be able to SSH 
onto other nodes without a password in a one to many fashion. That is 
fundamentally different to mmdsh. Further you can configure them to need 
an SSH key which is secured with a passphrase for additional security.

Basically in this sort of scenario with xdsh/pdsh etc. only running on 
highly protected nodes with limited access you have substantially 
enhanced your security over mmdsh and why mmdsh's continued existence is
not only not required but not desirable IMHO.

There is also no need for the host running xdsh/pdsh etc. to be part of 
the GPFS cluster.

That does mean some people relying on mmdsh will have to change how they 
work. However continuing with bad practice when other more secure 
options exist is IMHO unprofessional at best and give the current cyber 
security environment frankly down right negligent.


JAB.

-- 
Jonathan A. Buzzard                         Tel: +44141-5483420
HPC System Administrator, ARCHIE-WeSt.
University of Strathclyde, John Anderson Building, Glasgow. G4 0NG