<div dir="auto">Yes, it's up to you which way you create your ssh privileges but at least 1 node must be able to push to other nodes via SSH (or lesser secure protocol, o.O) to get GPFS working as far as I know from 4.x experience, maybe things have changed with 5.x.<div dir="auto"><br></div><div dir="auto">Once we got away from root ssh we were able to pass muster with security... Least of our problems from compliance perspective and that's saying a lot in our environment.</div><div dir="auto"><br></div><div dir="auto">Web interface via REST is more modern, but would actually give us more issues with currency and known issues, certificate management, etc. Less is more.</div><div dir="auto"><br></div><div dir="auto">Only wish with GPFS is that management understood how much money you save, and performance/efficiency you get, by right sizing the IO to CPU, and seems to me all these years later GPFS is the only real solution to get disk I/O to match the Computer throughout. Oh and maybe IBM would give up and change the name back to GPFS.</div><div dir="auto"><br></div><div dir="auto">Thanks to all the work in the community, and IBM for this amazing product.</div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto"><br></div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Mon, Jul 21, 2025, 2:54 PM Steve Daniels <<a href="mailto:sadaniel@us.ibm.com">sadaniel@us.ibm.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
Agree.</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
There are three different methods (two really) of allowing internode communications for the ssh commanding. </div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
Centralized management where select nodes have one way root passwordless ssh access to all of the rest of the nodes and n-to-n where all nodes have access to all other nodes via passwordless ssh. </div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
I believe to JAB's point that the centralized is more common in 2025 and mmdsh adheres to either situation.</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
Then we have ssh sudo wrappers which leverage sudo to provide an effective Scale manager user but underlying this is still passwordless ssh (just not the root user). </div>
<div id="m_-2879443802740207813Signature">
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:11pt;color:rgb(0,0,0)">
<br>
</div>
<p>Steven A. Daniels</p>
<p>Fax and Voice: 303-810-1229</p>
<p> </p>
</div>
<div id="m_-2879443802740207813appendonsend"></div>
<hr style="display:inline-block;width:98%">
<div id="m_-2879443802740207813divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> gpfsug-discuss <<a href="mailto:gpfsug-discuss-bounces@gpfsug.org" target="_blank" rel="noreferrer">gpfsug-discuss-bounces@gpfsug.org</a>> on behalf of Ryan Novosielski <<a href="mailto:novosirj@rutgers.edu" target="_blank" rel="noreferrer">novosirj@rutgers.edu</a>><br>
<b>Sent:</b> Monday, July 21, 2025 12:46 PM<br>
<b>To:</b> gpfsug main discussion list <<a href="mailto:gpfsug-discuss@gpfsug.org" target="_blank" rel="noreferrer">gpfsug-discuss@gpfsug.org</a>><br>
<b>Cc:</b> <a href="mailto:gpfsug-discuss@gpfsug.org" target="_blank" rel="noreferrer">gpfsug-discuss@gpfsug.org</a> <<a href="mailto:gpfsug-discuss@gpfsug.org" target="_blank" rel="noreferrer">gpfsug-discuss@gpfsug.org</a>><br>
<b>Subject:</b> [EXTERNAL] Re: [gpfsug-discuss] mmdsh rest api command</font>
<div> </div>
</div>
<div><font size="2"><span style="font-size:11pt">
<div>To my knowledge, this hasn’t been true for a while, and as a matter of fact, that is not the way we have our environment configured.<br>
<br>
There are nodes that do require access to all other nodes, but the same is not true in the other direction, and I believe there is some limited connectivity SSH that the nodes have between each other that is required for GPFS, controlled by what the keys are
allowed to do.<br>
<br>
It does somewhat negatively interact with mmnetverify, but so far this is the only downside I’ve seen.
<br>
<br>
There’s a section on it in the manual. We implemented it probably a couple of years ago now, but it has been there since sometime early in 5.x, IIRC.<br>
<br>
I guess we’ve gotten a bit off topic here though. Is there a reason to switch away from SSH itself that I’m not aware of? I certainly don’t mind more configuration options, even if I wouldn’t likely use them.<br>
<br>
Sent from my iPhone<br>
<br>
> On Jul 21, 2025, at 14:11, Jonathan Buzzard <<a href="mailto:jonathan.buzzard@strath.ac.uk" target="_blank" rel="noreferrer">jonathan.buzzard@strath.ac.uk</a>> wrote:<br>
> <br>
> [SNIP]<br>
> <br>
>> Aren't xcat, pdsh, etc, based on passwordless root ssh as well? If<br>
>> so, they don't solve my clients issues. I don't see them as better<br>
>> than mmdsh just different authors of the same type of tool.<br>
>> <br>
> Currently GPFS requires all nodes to be able to SSH onto all other nodes as root without a password. Noting at the moment the native RestAPI is an experimental feature.<br>
> <br>
> This root level access across the entire system in a many to many fashion has always been an security issue. This is especially true in an HPC environment were end users get to log onto nodes that are part of a GPFS cluster. If anyone gets root on any node
on the system then its game over.<br>
> <br>
> JAB.<br>
_______________________________________________<br>
gpfsug-discuss mailing list<br>
gpfsug-discuss at <a href="http://gpfsug.org" target="_blank" rel="noreferrer">gpfsug.org</a><br>
<a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org" target="_blank" rel="noreferrer">https://urldefense.proofpoint.com/v2/url?u=http-3A__gpfsug.org_mailman_listinfo_gpfsug-2Ddiscuss-5Fgpfsug.org&d=DwIGaQ&c=BSDicqBQBDjDI9RkVyTcHQ&r=poV0PwVYTQCODtr5Roh1IeohBrObo4EP_Tx9IkCIbHo&m=qb84pFD2OGyNw2_770L1Ddg0HkNFST8YS0o-H3kVc_O8OJW_cMlSuVhfoC1iDNUp&s=XNqx3vVFU6sb7lud9KgKja-VTd6BQuapYlV8R-MJ6Zw&e=</a>
<br>
</div>
</span></font></div>
</div>
_______________________________________________<br>
gpfsug-discuss mailing list<br>
gpfsug-discuss at <a href="http://gpfsug.org" rel="noreferrer noreferrer" target="_blank">gpfsug.org</a><br>
<a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org" rel="noreferrer noreferrer" target="_blank">http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org</a><br>
</blockquote></div>