Configuring sudo

The system administrator must configure sudo by modifying the sudoers file. IBM Spectrum Scale™ installs a sample of the modified sudoers file as /usr/lpp/mmfs/samples/sudoers.sample.

Perform the following steps before you start configuring sudo:
  1. Create a user and group to run administration commands.
    Note: The examples in this section have the user name gpfsadmin and the group gpfs.
  2. Allow the root user from an administration node to execute commands on all nodes including the current node as the gpfsadmin user id without being prompted for a password.
  3. Install the sudo program. Sudo is a free open source software that is distributed under a license.

Do the following steps on each node in the cluster:

  1. Open the /etc/sudoers file with a text editor. The sudo installation includes the visudo editor, which checks the syntax of the file before closing.
  2. Add the following commands to the file. Important: Enter each command on a single line: 
    # Preserve GPFS environment variables:
Defaults env_keep += "MMMODE environmentType GPFS_rshPath GPFS_rcpPath mmScriptTrace GPFSCMDPORTRANGE GPFS_CIM_MSG_FORMAT" 

# Allow members of the gpfs group to run all commands but only selected commands without a password:
%gpfs ALL=(ALL) PASSWD: ALL, NOPASSWD: /usr/lpp/mmfs/bin/mmremote, /usr/bin/scp, /bin/echo, /usr/lpp/mmfs/bin/mmsdrrestore

# Disable requiretty for group gpfs:
Defaults:%gpfs !requiretty
    The first line preserves the environment variables that the IBM Spectrum Scale administration commands need to run. The second line allows the users in the gpfs group to run administration commands without being prompted for a password. The third line disables requiretty. When this flag is enabled, sudo blocks the commands that do not originate from a TTY session.
  3. Perform the following steps to verify that the sshwrap and scpwrap scripts work correctly.
    1. sshwrap is an IBM Spectrum Scale sudo wrapper script for the remote shell command that is installed with IBM Spectrum Scale. To verify that it works correctly, run the following command as the gpfsadmin user: 
      sudo /usr/lpp/mmfs/bin/mmcommon test sshwrap nodeName
[sudo] password for gpfsadmin: 
mmcommon test sshwrap: Command successfully completed
      Note: nodeName is the name of an IBM Spectrum Scale node in the cluster
    2. scpwrap is an IBM Spectrum Scale sudo wrapper script for the remote file copy command that is installed with IBM Spectrum Scale. To verify that it works correctly, run the following command as the gpfsadmin user: 
      sudo /usr/lpp/mmfs/bin/mmcommon test scpwrap nodeName
mmcommon test scpwrap: Command successfully completed
      Note: nodeName is the name of an IBM Spectrum Scale node in the cluster
Sudo is now configured to run administration commands without remote root login.
Parent topic: Running IBM Spectrum Scale without remote root login