The system administrator must configure sudo by modifying the
sudoers file. IBM Storage Scale installs a
sample of the modified sudoers file as
/usr/lpp/mmfs/samples/sudoers.sample.
Do the following steps before you configure sudo:
- Create a user and group to run administration commands.
Note: The examples in this section have
the user name gpfsadmin and the group gpfs.
- Allow the root user from an administration node to run commands on all nodes including the
current node with user ID
gpfsadmin without being prompted for a password. For
example, the root user must be able to issue a command like the following one without being prompted
for a password:ssh c6f2bc4n8 -l gpfsadmin /bin/whoami
gpfsadmin
- Install the sudo program. Sudo is open-source software that is distributed under a license.
Do the following steps on each node in the cluster:
- Open the /etc/sudoers file with a text editor. The sudo installation
includes the visudo editor, which checks the syntax of the file before
closing.
- Add the following commands to the file. Important: Enter each
command on a single line:
Preserve GPFS environment variables:
Defaults env_keep += "MMMODE environmentType GPFS_rshPath GPFS_rcpPath mmScriptTrace GPFSCMDPORTRANGE GPFS_CIM_MSG_FORMAT"
Allow members of the gpfs group to run all commands but only selected commands without a password:
%gpfs ALL=(ALL) PASSWD: ALL, NOPASSWD: /usr/lpp/mmfs/bin/mmremote
Disable requiretty for group gpfs:
Defaults:%gpfs !requiretty
The first line preserves the environment variables that the
IBM Storage Scale administration commands need to run. The second line
allows the users in the
gpfs group to run administration commands without being
prompted for a password. The third line disables
requiretty. When this flag is
enabled, sudo blocks the commands that do not originate from a TTY session.
Note: As of
IBM Storage Scale 5.1.0, you no longer need to add commands
such as
scp,
echo, and
mmsdrrestore to the
sudoers file.
If the minimum release level of the cluster is earlier than
5.1.0, add the following command to the file as the second
line:
Allow members of the gpfs group to run all commands but only selected commands without a password:
%gpfs ALL=(ALL) PASSWD: ALL, NOPASSWD: /usr/lpp/mmfs/bin/mmremote, /usr/bin/scp, /bin/echo, /usr/lpp/mmfs/bin/mmsdrrestore
- Perform the following steps to verify that the sshwrap and
scpwrap scripts work correctly.
- sshwrap is an IBM Storage Scale sudo wrapper script for the remote shell command that
is installed with IBM Storage Scale. To verify that it works
correctly, run the following command as the gpfsadmin user:
sudo /usr/lpp/mmfs/bin/mmcommon test sshwrap nodeName
[sudo] password for gpfsadmin:
mmcommon test sshwrap: Command successfully completed
Note: Here nodeName is the name of an IBM Storage Scale node in the cluster.
-
scpwrap is an IBM Storage Scale sudo
wrapper script for the remote file copy command that is installed with IBM Storage Scale. To verify that it works correctly, run the following
command as the gpfsadmin user:
sudo /usr/lpp/mmfs/bin/mmcommon test scpwrap nodeName
mmcommon test scpwrap: Command successfully completed
Note: Here nodeName is the name of an IBM Storage Scale node in the cluster.
Sudo is now configured to run administration commands without remote root login.