IBM spectrum Conductor 2.4.0, offers new enhancements regarding permissions: NFSv4 and root squash shared file system support. This blogs highlights these features.
Firstly, we removed the access control list (ACL) dependency, so that you no longer require it for instance groups and notebooks deployment. Instead, a user group based permission mechanism is used to enable access to instance groups and notebooks. This allows for support of deployment of instance groups and notebooks on NFS vesion 4.0 (NFSv4) file systems.
By removing the need for an ALC, and using a user group permission mechanism, you now can optionally specify an administrator user group to be assigned to the directories and files of the instance group or notebook deployment to further restrict file permissions, using a new optional Administrator user group field available in the instance group configuration page within the cluster management console. If you do not specify an administrator user group, by default, the primary user group of the instance group or notebook execution OS user is assigned to the directories and files of the instance group or notebook deployment.
Root squash shared file system support
Secondly, starting with IBM Spectrum Conductor 2.4.0, you can install your cluster and deploy instance groups to root squashed shared file systems, which reduces the access rights for the remote superuser (root). This feature is enabled by specifying export ROOT_SQUASH_INSTALL=Y during IBM Spectrum Conductor installation to a shared file system.
To support instance group deployments to root squashed shared file systems, complete these configurations:
Set the ROOT_SQUASH_INSTALL environment variable: export ROOT_SQUASH_INSTALL=Y
Configure the cluster administrator OS user to be a member of the primary OS user group of every instance group OS execution user.
Ensure correct permissions for the EGO log and work directories required by IBM Spectrum Conductor: set them to locations that are not root-squash enabled, using the EGO_WORKDIR and EGO_LOGDIR parameters in the ego.conf configuration file on each host in your cluster. For example:
# EGO working and logging directory EGO_WORKDIR=/myworkdirectory/work
Restart EGO on all hosts in the cluster: egosh ego restart all
That's it! You're now set to use IBM Spectrum Conductor 2.4.0on an NFSv4 with root squashed file system.