Setting password-less ssh access for root

IBM Spectrum Scale Master is a role designated to the host on which the Master component of the IBM Spectrum® Scale service is installed. It should be a part of the administrator nodes set. All the IBM Spectrum Scale cluster wide administrative commands including those for creation of the IBM Spectrum Scale cluster and the file system are run from this host.

Passwordless ssh access for root must be configured from the IBM Spectrum Scale Master node to all the other IBM Spectrum Scale nodes. This is needed for IBM Spectrum Scale to work. For non-adminMode central clusters, ensure that you have bi-directional password-less setup for the fully qualified and short names for all the GPFS™ nodes in the cluster. This must be done for the root user. For non-root Ambari environment, ensure that the non-root ID can perform bi-directional password-less SSH between all the GPFS nodes.

Note: BDA Ambari integration supports the admin mode central configuration of IBM Spectrum Scale (adminMode configuration attribute topic in the IBM Storage Scale: Administration Guide).

In this configuration, one or more hosts could be designated as IBM Spectrum Scale Administration (or Admin) nodes. By default, the GPFS Master is an Admin node. In Admin mode central configuration, it is sufficient to have only uni-directional password-less ssh for root from the Admin nodes to the non-admin nodes. This configuration ensures better security by limiting the password-less ssh access for root.

An example on setting up password-less access for root from one host to another:
  1. Define Node1 as the IBM Spectrum Scale master.
  2. Log on to Node1 as the root user. 
    # cd /root/.ssh
  3. Generate a pair of public authentication keys. Do not type a passphrase.
    # ssh-keygen -t rsa

    Generate the public-private rsa key pair.

    Type the name of the file in which you want to save the key (/root/.ssh/id_rsa):

    Type the passphrase.

    Type the passphrase again.

    The identification has been saved in /root/.ssh/id_rsa.

    The public key has been saved in /root/.ssh/id_rsa.pub.

    The key fingerprint is:

    Note: During ssh-keygen -t rsa, accept the default for all.
  4. Set the public key to the authorized_keys file.
    # cd /root/.ssh/; cat id_rsa.pub > authorized_keys
  5. For clusters with adminMode as allToAll, copy the generated public key file to nodeX.
    # scp /root/.ssh/* root@nodeX:/root/.ssh

    where, nodeX is all the nodes.

    For clusters with adminMode as central, copy the generated public key file to nodeX.
    # scp /root/.ssh/* root@nodeX:/root/.ssh

    nodeX is all the nodes chosen for administration.

    Configure the password less ssh with non admin nodes (nodeY) in the clusters.
    # ssh-copy-id root@nodeY

    nodeY is rest of the cluster nodes.

  6. Ensure that the public key file permission is correct.
    #ssh root@nodeX “chmod 700 .ssh; chmod 640 .ssh/authorized_keys"
  7. Check password-less access
    # ssh node2

[root@node1 ~]# ssh node2
The authenticity of host 'gpfstest9 (192.0.2.0)' can't be established.
RSA key fingerprint is 03:bc:35:34:8c:7f:bc:ed:90:33:1f:32:21:48:06:db.
Are you sure you want to continue connecting (yes/no)?yes
    Note: You also need to run ssh node1 to add the key into /root/.ssh/known_hosts for password-less access.