This blog is the result of activities in Spectrum Scale CoC, and thanks to members for their valuable feedback and discussions.
Some customers has a strict requirement about usage of root user on Linux for their security reasons; they do not allow system operators to log in as root user because it can perform all operations on the Linux servers. As default, IBM Spectrum Scale(GPFS) requires root user to operate as file system, especially when multiple nodes of GPFS cluster communicate one another via SSH in order to performance configuration related operations.
There is a way to avoid using root user when GPFS operates after being set up, and there is a good explanation about how to do it in the following page.
https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.5/com.ibm.spectrum.scale.v5r05.doc/bl1adm_sudowrapper.htm
It is, however, sometimes not easy to understand what it says without visualizing how it works using some pictures. This blog tries to illustrate how to implement GPFS without root user so that users can easily understand what they need to do.
Without using sudo wrappers (default GPFS behavior)
The nodes that you plan to use for administering GPFS must be able to execute remote shell commands on themselves and on any other nodes in the Spectrum Scale cluster via SSH. They must do it without the use of a password and without producing any extraneous messages.
In order to make it work, you need to copy root user's public key of SSH to root user's authenticated keys on the other nodes in the cluster.
The following chart explains how to implement password-less communication with root user among the nodes.
- Key exchange
Copy root user's public key on Node#1 to root user's authenticated keys on Node#2 at the time of GPFS installation.
- *GPFS commands execution
root user on Node#1 is able to execute GPFS commands with public key authentication on Node#2 without a password being asked.
* GPFS commands : the administration commands for Spectrum Scale, for example mmstartup and mmgetstate.
This scenario is also applicable when more than two nodes are involved in the GPFS cluster.
With using sudo wappers
Most of customer such as IT Service Providers do not allow operators to access GPFS by root user for their security reasons. Therefore, GPFS must be running with non-root user in order to communicate one another among the nodes by issuing the GPFS commands via SSH interface.
You can avoid logging in the remote nodes as root user by using sudo wrapper(*2) script.
The script can execute GPFS commands such as mmgetstate using SSH to log in to the remote node using a non-root user, and then uses sudo(*1) on the node to run the commands with root-level privileges.
(*1) "sudo" is the command which makes non-user to execute commands which requires root privilege. In order to use "sudo", it requires to set up "sudoers".
Please refer to the following URL to understand how "sudo" needs to be set up for GPFS.
https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.5/com.ibm.spectrum.scale.v5r05.doc/bl1adm_configsudo.htm
(*2) "sudo wrapper script" is the script which is called when GPFS commands are executed.
- Key exchange
Copy root user's public key on Node#1 to non-root user's authenticated keys on Node#2 at the time of installation; e.g. "gpfsadmin" user.
- GPFS commands execution
Non-root user on Node#1 can execute GPFS commands, using the sudo wrapper scripts, on Node#2 remotely.
Summary
On GPFS, password-less SSH connections of root user are required among the GPFS nodes. This is the default behavior of GPFS.
Logging in as root user, however, is not allowed by some users for their security reasons. In that case, GPFS provides a way to
avoid root user usage by implementing sudo and sudo wrapper scripts. Using them can allow non-root user like "gpfsadmin" to execute GPFS commands on the remote nodes.