<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">
Agree.</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">
There are three different methods (two really) of allowing internode communications for the ssh commanding. </div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">
Centralized management where select nodes have one way root passwordless ssh access to all of the rest of the nodes and n-to-n where all nodes have access to all other nodes via passwordless ssh. </div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">
I believe to JAB's point that the centralized is more common in 2025 and mmdsh adheres to either situation.</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">
Then we have ssh sudo wrappers which leverage sudo to provide an effective Scale manager user but underlying this is still passwordless ssh (just not the root user). </div>
<div class="elementToProof" id="Signature">
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<p class="elementToProof">Steven A. Daniels</p>
<p class="elementToProof">Fax and Voice: 303-810-1229</p>
<p class="elementToProof"> </p>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> gpfsug-discuss <gpfsug-discuss-bounces@gpfsug.org> on behalf of Ryan Novosielski <novosirj@rutgers.edu><br>
<b>Sent:</b> Monday, July 21, 2025 12:46 PM<br>
<b>To:</b> gpfsug main discussion list <gpfsug-discuss@gpfsug.org><br>
<b>Cc:</b> gpfsug-discuss@gpfsug.org <gpfsug-discuss@gpfsug.org><br>
<b>Subject:</b> [EXTERNAL] Re: [gpfsug-discuss] mmdsh rest api command</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">To my knowledge, this hasn’t been true for a while, and as a matter of fact, that is not the way we have our environment configured.<br>
<br>
There are nodes that do require access to all other nodes, but the same is not true in the other direction, and I believe there is some limited connectivity SSH that the nodes have between each other that is required for GPFS, controlled by what the keys are
allowed to do.<br>
<br>
It does somewhat negatively interact with mmnetverify, but so far this is the only downside I’ve seen.
<br>
<br>
There’s a section on it in the manual. We implemented it probably a couple of years ago now, but it has been there since sometime early in 5.x, IIRC.<br>
<br>
I guess we’ve gotten a bit off topic here though. Is there a reason to switch away from SSH itself that I’m not aware of? I certainly don’t mind more configuration options, even if I wouldn’t likely use them.<br>
<br>
Sent from my iPhone<br>
<br>
> On Jul 21, 2025, at 14:11, Jonathan Buzzard <jonathan.buzzard@strath.ac.uk> wrote:<br>
> <br>
> [SNIP]<br>
> <br>
>> Aren't xcat, pdsh, etc, based on passwordless root ssh as well? If<br>
>> so, they don't solve my clients issues. I don't see them as better<br>
>> than mmdsh just different authors of the same type of tool.<br>
>> <br>
> Currently GPFS requires all nodes to be able to SSH onto all other nodes as root without a password. Noting at the moment the native RestAPI is an experimental feature.<br>
> <br>
> This root level access across the entire system in a many to many fashion has always been an security issue. This is especially true in an HPC environment were end users get to log onto nodes that are part of a GPFS cluster. If anyone gets root on any node
on the system then its game over.<br>
> <br>
> JAB.<br>
_______________________________________________<br>
gpfsug-discuss mailing list<br>
gpfsug-discuss at gpfsug.org<br>
<a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org">https://urldefense.proofpoint.com/v2/url?u=http-3A__gpfsug.org_mailman_listinfo_gpfsug-2Ddiscuss-5Fgpfsug.org&d=DwIGaQ&c=BSDicqBQBDjDI9RkVyTcHQ&r=poV0PwVYTQCODtr5Roh1IeohBrObo4EP_Tx9IkCIbHo&m=qb84pFD2OGyNw2_770L1Ddg0HkNFST8YS0o-H3kVc_O8OJW_cMlSuVhfoC1iDNUp&s=XNqx3vVFU6sb7lud9KgKja-VTd6BQuapYlV8R-MJ6Zw&e=</a>
<br>
</div>
</span></font></div>
</body>
</html>