[gpfsug-discuss] mmdsh rest api command

Alec anacreo at gmail.com
Mon Jul 21 23:20:10 BST 2025 

Yes, it's up to you which way you create your ssh privileges but at least 1
node must be able to push to other nodes via SSH (or lesser secure
protocol, o.O) to get GPFS working as far as I know from 4.x experience,
maybe things have changed with 5.x.

Once we got away from root ssh we were able to pass muster with security...
Least of our problems from compliance perspective and that's saying a lot
in our environment.

Web interface via REST is more modern, but would actually give us more
issues with currency and known issues, certificate management, etc.  Less
is more.

Only wish with GPFS is that management understood how much money you save,
and performance/efficiency you get, by right sizing the IO to CPU, and
seems to me all these years later GPFS is the only real solution to get
disk I/O to match the Computer throughout.  Oh and maybe IBM would give up
and change the name back to GPFS.

Thanks to all the work in the community,  and IBM for this amazing product.




On Mon, Jul 21, 2025, 2:54 PM Steve Daniels <sadaniel at us.ibm.com> wrote:

> Agree.
>
> There are three different methods (two really) of allowing internode
> communications for the ssh commanding.
>
> Centralized management where select nodes have one way root passwordless
> ssh access to all of the rest of the nodes and n-to-n where all nodes have
> access to all other nodes via passwordless ssh.
>
> I believe to JAB's point that the centralized is more common in 2025 and
> mmdsh adheres to either situation.
>
> Then we have ssh sudo wrappers which leverage sudo to provide an effective
> Scale manager user but underlying this is still passwordless ssh (just not
> the root user).
>
> Steven A. Daniels
>
> Fax and Voice: 303-810-1229
>
>
> ------------------------------
> *From:* gpfsug-discuss <gpfsug-discuss-bounces at gpfsug.org> on behalf of
> Ryan Novosielski <novosirj at rutgers.edu>
> *Sent:* Monday, July 21, 2025 12:46 PM
> *To:* gpfsug main discussion list <gpfsug-discuss at gpfsug.org>
> *Cc:* gpfsug-discuss at gpfsug.org <gpfsug-discuss at gpfsug.org>
> *Subject:* [EXTERNAL] Re: [gpfsug-discuss] mmdsh rest api command
>
> To my knowledge, this hasn’t been true for a while, and as a matter of
> fact, that is not the way we have our environment configured.
>
> There are nodes that do require access to all other nodes, but the same is
> not true in the other direction, and I believe there is some limited
> connectivity SSH that the nodes have between each other that is required
> for GPFS, controlled by what the keys are allowed to do.
>
> It does somewhat negatively interact with mmnetverify, but so far this is
> the only downside I’ve seen.
>
> There’s a section on it in the manual. We implemented it probably a couple
> of years ago now, but it has been there since sometime early in 5.x, IIRC.
>
> I guess we’ve gotten a bit off topic here though. Is there a reason to
> switch away from SSH itself that I’m not aware of? I certainly don’t mind
> more configuration options, even if I wouldn’t likely use them.
>
> Sent from my iPhone
>
> > On Jul 21, 2025, at 14:11, Jonathan Buzzard <
> jonathan.buzzard at strath.ac.uk> wrote:
> > 
> > [SNIP]
> >
> >> Aren't xcat, pdsh, etc, based on passwordless root ssh as well? If
> >> so, they don't solve my clients issues. I don't see them as better
> >> than mmdsh just different authors of the same type of tool.
> >>
> > Currently GPFS requires all nodes to be able to SSH onto all other nodes
> as root without a password. Noting at the moment the native RestAPI is an
> experimental feature.
> >
> > This root level access across the entire system in a many to many
> fashion has always been an security issue. This is especially true in an
> HPC environment were end users get to log onto nodes that are part of a
> GPFS cluster. If anyone gets root on any node on the system then its game
> over.
> >
> > JAB.
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at gpfsug.org
>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__gpfsug.org_mailman_listinfo_gpfsug-2Ddiscuss-5Fgpfsug.org&d=DwIGaQ&c=BSDicqBQBDjDI9RkVyTcHQ&r=poV0PwVYTQCODtr5Roh1IeohBrObo4EP_Tx9IkCIbHo&m=qb84pFD2OGyNw2_770L1Ddg0HkNFST8YS0o-H3kVc_O8OJW_cMlSuVhfoC1iDNUp&s=XNqx3vVFU6sb7lud9KgKja-VTd6BQuapYlV8R-MJ6Zw&e=
> <http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org>
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at gpfsug.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20250721/a1c541c0/attachment.htm>

More information about the gpfsug-discuss mailing list