[gpfsug-discuss] mmdsh rest api command

Steve Daniels sadaniel at us.ibm.com
Mon Jul 21 22:51:49 BST 2025 

Agree.

There are three different methods (two really) of allowing internode communications for the ssh commanding.

Centralized management where select nodes have one way root passwordless ssh access to all of the rest of the nodes and n-to-n where all nodes have access to all other nodes via passwordless ssh.

I believe to JAB's point that the centralized is more common in 2025 and mmdsh adheres to either situation.

Then we have ssh sudo wrappers which leverage sudo to provide an effective Scale manager user but underlying this is still passwordless ssh (just not the root user).


Steven A. Daniels

Fax and Voice: 303-810-1229



________________________________
From: gpfsug-discuss <gpfsug-discuss-bounces at gpfsug.org> on behalf of Ryan Novosielski <novosirj at rutgers.edu>
Sent: Monday, July 21, 2025 12:46 PM
To: gpfsug main discussion list <gpfsug-discuss at gpfsug.org>
Cc: gpfsug-discuss at gpfsug.org <gpfsug-discuss at gpfsug.org>
Subject: [EXTERNAL] Re: [gpfsug-discuss] mmdsh rest api command

To my knowledge, this hasn’t been true for a while, and as a matter of fact, that is not the way we have our environment configured.

There are nodes that do require access to all other nodes, but the same is not true in the other direction, and I believe there is some limited connectivity SSH that the nodes have between each other that is required for GPFS, controlled by what the keys are allowed to do.

It does somewhat negatively interact with mmnetverify, but so far this is the only downside I’ve seen.

There’s a section on it in the manual. We implemented it probably a couple of years ago now, but it has been there since sometime early in 5.x, IIRC.

I guess we’ve gotten a bit off topic here though. Is there a reason to switch away from SSH itself that I’m not aware of? I certainly don’t mind more configuration options, even if I wouldn’t likely use them.

Sent from my iPhone

> On Jul 21, 2025, at 14:11, Jonathan Buzzard <jonathan.buzzard at strath.ac.uk> wrote:
> 
> [SNIP]
>
>> Aren't xcat, pdsh, etc, based on passwordless root ssh as well? If
>> so, they don't solve my clients issues. I don't see them as better
>> than mmdsh just different authors of the same type of tool.
>>
> Currently GPFS requires all nodes to be able to SSH onto all other nodes as root without a password. Noting at the moment the native RestAPI is an experimental feature.
>
> This root level access across the entire system in a many to many fashion has always been an security issue. This is especially true in an HPC environment were end users get to log onto nodes that are part of a GPFS cluster. If anyone gets root on any node on the system then its game over.
>
> JAB.
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at gpfsug.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20250721/a81dc323/attachment-0001.htm>

More information about the gpfsug-discuss mailing list