Running IBM Spectrum Scale commands without remote root login

With sudo wrapper scripts you can avoid configuring nodes to allow remote root login.

Every administration node in the IBM Spectrum Scale™ cluster must be able to run administration commands on any other node in the cluster. Each administration node must be able to do so without the use of a password and without producing any extraneous messages. Also, most of the IBM Spectrum Scale administration commands must run at the root level. One solution to meet these requirements is to configure each node to permit general remote login to its root user ID. However, there are secure solutions available that do not require root-level login.

You can use a sudo program, or a sudo-like framework to enable a user login, which is not at the root-level. With sudo wrapper, you can launch IBM Spectrum Scale administration commands with a sudo wrapper script. This script uses ssh to log in to the remote node using a non-root ID, and then uses sudo on the remote node to run the commands with root-level privileges. The root user on an administration node still needs to be able to log in to all nodes in the cluster as the non-root ID, without being prompted for a password.

Note: Start of change
  • Sudo wrappers are not supported on clusters where one or more of the nodes is running the Windows operating system.
  • Sudo wrappers are not supported with clustered NFS (cNFS).
  • Sudo wrappers are not supported with Cluster Export Services (CES)
  • The installation toolkit is not supported in a sudo wrapper environment
  • Call home is not supported in a sudo wrapper environment
End of change
To use sudo wrappers, complete the tasks in the following topics:
  • Configuring sudo
    The system administrator must configure sudo by modifying the sudoers file. IBM Spectrum Scale installs a sample of the modified sudoers file as /usr/lpp/mmfs/samples/sudoers.sample.
  • Configuring the cluster to use sudo wrapper scripts
    The system administrator must configure the IBM Spectrum Scale cluster to call the sudo wrapper scripts sshwrap and scpwrap to run IBM Spectrum Scale administration commands. To configure the cluster, run either the mmcrcluster command or the mmchcluster command with the --use-sudo-wrapper option.
  • Configuring IBM Spectrum Scale GUI to use sudo wrapper
    The GUI can be configured to run on a cluster where remote root access is disabled and sudo wrappers are used. On such a cluster, the GUI process still runs as root but it issues ssh to other nodes using a user name for which sudo wrappers were configured.
  • Configuring a cluster to stop using sudo wrapper scripts
    Follow these directions to stop using sudo wrapper scripts in the IBM Spectrum Scale cluster.
Parent topic: Configuring the GPFS cluster
Related concepts:
Displaying cluster configuration information
Security mode
Node quorum considerations
Node quorum with tiebreaker considerations
Determining how long mmrestripefs takes to complete
Related tasks:
Creating your GPFS cluster
Adding nodes to a GPFS cluster
Deleting nodes from a GPFS cluster
Changing the GPFS cluster configuration data
Displaying and changing the file system manager node
Starting and stopping GPFS
Shutting down an IBM Spectrum Scale cluster