[lustre-discuss] [EXTERNAL] Re: Restricting sub directory mounts/access
mohrrf at ornl.gov
Wed Mar 31 03:44:16 PST 2021
I don't think that lustre will do exactly what you want in this case. If you mount the entire file system, then you could restrict access to a directory based on normal uid/gid permission or even ACLs. But those restrictions would then apply to every lustre client that mounted the file system. I don't know of any way to allow directory to be visible in lustre and also prevent access to that directory based just on the node that mounted it.
I don't know if it is possible in your case, but you could consider organizing the directory layout in such a way that subdirectory mounts would accomplish what you want. For example, if your file system is normally mounted under "/lustre" on the client, then you could create two directories in the file system called "restricted/" and "normal/". (These names are just for illustrative purposed. You'll likely want to choose something better.). Most of your clients would then see /lustre/normal, /lustre/restricted, etc. On the login nodes, you would just create the mount point /lustre/normal and only mount that subdirectory. Then /lustre/restricted would not even be visible.
As a personal preference, I like to avoid putting any "real data" at the root of my lustre file system. The only things I create there are subdirectories that organize files into logical groups (/lustre/projects, /lustre/users, /lustre/admin, etc.). I feel that it gives me more control in situations like these if I want to only mount certain subdirectories or even apply things like project quotas. I wouldn't call it a "best practice", but over the years I have found that approach to be very useful/practical.
On 3/30/21, 4:25 PM, "lustre-discuss on behalf of Kumar, Amit" <lustre-discuss-bounces at lists.lustre.org on behalf of ahkumar at mail.smu.edu> wrote:
Thank you for your reply. Yes I would like to use the isolation mentioned in the link you shared, but a bit differently. I did a bit of reading but it appears to me, that Isolation provided by filesets feature allows me to mount sub-directory in isolation of the root directory, and using nodemap allows me to squash or map uid/gid on a set of clients. Based on my understanding this would not help me, I hope I am wrong.
Here is what I am trying: I still want the entire namespace mounted on all clients, but exclude access to one of the sub-directory from the namespace on a handful of clients. Rational: we have some datasets that resides in a sub-directory, and given lustre namespace is mounted on login servers which are not setup behind a 2FA authentication system, the entity providing us the data set has raised concerns and hence we are trying to look for options around this. We do have a place to put the data elsewhere at the moment, but I would like to explore options not all our file systems are as large as Lustre and it could benefit when the need arises.
More information about the lustre-discuss