[gpfsug-discuss] mmdsh rest api command
Steve Daniels
sadaniel at us.ibm.com
Mon Jul 21 19:30:00 BST 2025
Unless, there is something, i am unaware of mmdsh can also be constraind to a set of designated nodes based on ssh keys. So not sure why it is more or less than xdsh or pdsh. It seems the same.
Steven A. Daniels
Fax and Voice: 303-810-1229
________________________________
From: gpfsug-discuss <gpfsug-discuss-bounces at gpfsug.org> on behalf of Jonathan Buzzard <jonathan.buzzard at strath.ac.uk>
Sent: Monday, July 21, 2025 12:08 PM
To: gpfsug-discuss at gpfsug.org <gpfsug-discuss at gpfsug.org>
Subject: [EXTERNAL] Re: [gpfsug-discuss] mmdsh rest api command
[SNIP]
>
> Aren't xcat, pdsh, etc, based on passwordless root ssh as well? If
> so, they don't solve my clients issues. I don't see them as better
> than mmdsh just different authors of the same type of tool.
>
Currently GPFS requires all nodes to be able to SSH onto all other nodes
as root without a password. Noting at the moment the native RestAPI is
an experimental feature.
This root level access across the entire system in a many to many
fashion has always been an security issue. This is especially true in an
HPC environment were end users get to log onto nodes that are part of a
GPFS cluster. If anyone gets root on any node on the system then its
game over.
The likes of xdsh and pdsh allow *designated* nodes to be able to SSH
onto other nodes without a password in a one to many fashion. That is
fundamentally different to mmdsh. Further you can configure them to need
an SSH key which is secured with a passphrase for additional security.
Basically in this sort of scenario with xdsh/pdsh etc. only running on
highly protected nodes with limited access you have substantially
enhanced your security over mmdsh and why mmdsh's continued existence is
not only not required but not desirable IMHO.
There is also no need for the host running xdsh/pdsh etc. to be part of
the GPFS cluster.
That does mean some people relying on mmdsh will have to change how they
work. However continuing with bad practice when other more secure
options exist is IMHO unprofessional at best and give the current cyber
security environment frankly down right negligent.
JAB.
--
Jonathan A. Buzzard Tel: +44141-5483420
HPC System Administrator, ARCHIE-WeSt.
University of Strathclyde, John Anderson Building, Glasgow. G4 0NG
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at gpfsug.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20250721/b1376b76/attachment-0001.htm>
More information about the gpfsug-discuss
mailing list