[gpfsug-discuss] mmdsh rest api command

[Ryan Novosielski]

To my knowledge, this hasn’t been true for a while, and as a matter of fact, that is not the way we have our environment configured.

There are nodes that do require access to all other nodes, but the same is not true in the other direction, and I believe there is some limited connectivity SSH that the nodes have between each other that is required for GPFS, controlled by what the keys are allowed to do.

It does somewhat negatively interact with mmnetverify, but so far this is the only downside I’ve seen. 

There’s a section on it in the manual. We implemented it probably a couple of years ago now, but it has been there since sometime early in 5.x, IIRC.

I guess we’ve gotten a bit off topic here though. Is there a reason to switch away from SSH itself that I’m not aware of? I certainly don’t mind more configuration options, even if I wouldn’t likely use them.

Sent from my iPhone

> On Jul 21, 2025, at 14:11, Jonathan Buzzard <jonathan.buzzard at strath.ac.uk> wrote:
> 
> [SNIP]
> 
>> Aren't xcat, pdsh, etc, based on passwordless root ssh as well? If
>> so, they don't solve my clients issues. I don't see them as better
>> than mmdsh just different authors of the same type of tool.
>> 
> Currently GPFS requires all nodes to be able to SSH onto all other nodes as root without a password. Noting at the moment the native RestAPI is an experimental feature.
> 
> This root level access across the entire system in a many to many fashion has always been an security issue. This is especially true in an HPC environment were end users get to log onto nodes that are part of a GPFS cluster. If anyone gets root on any node on the system then its game over.
> 
> JAB.