Root-level processes that call administration commands directly

With the sudoUser attribute, you can enable root-level background processes to call administration commands directly while sudo wrappers are enabled.

When sudo wrappers are enabled and a root-level background process calls an administration command directly rather than through sudo, the administration command typically fails. Examples of such a root-level process are the cron program and IBM Spectrum Scale™ callback programs. Such processes call administration commands directly even when sudo wrappers are enabled.

In the failing scenario, the GPFS™ daemon that processes the administration command encounters a login error when it tries to run an internal command on another node as the root user. When sudo wrappers are enabled, nodes typically do not allow root-level logins by other nodes. (That is the advantage of having sudo wrappers.) When the root-level login fails, the GPFS daemon that is processing the administration command cannot complete the command and returns an error.

To avoid this problem, you can set the sudoUser attribute to a non-root admin user ID that can log in to any node in the cluster without being prompted for a password. You can specify the same admin user ID that you used to configure sudo. For more information on the admin user ID, see Configuring sudo.

You can set the sudoUser attribute in the following commands: mmchconfig command (the sudoUser attribute), mmcrcluster command (the --sudo-user parameter), or mmcrcluster command (the --sudo-user parameter).

Parent topic: Running IBM Spectrum Scale commands without remote root login