[lustre-discuss] [EXTERNAL] Re: Restricting sub directory mounts/access

Mohr, Rick mohrrf at ornl.gov
Wed Mar 31 03:44:16 PST 2021 

Amit,

I don't think that lustre will do exactly what you want in this case.  If you mount the entire file system, then you could restrict access to a directory based on normal uid/gid permission or even ACLs.  But those restrictions would then apply to every lustre client that mounted the file system.  I don't know of any way to allow directory to be visible in lustre and also prevent access to that directory based just on the node that mounted it.

I don't know if it is possible in your case, but you could consider organizing the directory layout in such a way that subdirectory mounts would accomplish what you want.  For example, if your file system is normally mounted under "/lustre" on the client, then you could create two directories in the file system called "restricted/" and "normal/".  (These names are just for illustrative purposed.  You'll likely want to choose something better.). Most of your clients would then see /lustre/normal, /lustre/restricted, etc.  On the login nodes, you would just create the mount point /lustre/normal and only mount that subdirectory.  Then /lustre/restricted would not even be visible.

As a personal preference, I like to avoid putting any "real data" at the root of my lustre file system.  The only things I create there are subdirectories that organize files into logical groups (/lustre/projects, /lustre/users, /lustre/admin, etc.).  I feel that it gives me more control in situations like these if I want to only mount certain subdirectories or even apply things like project quotas.  I wouldn't call it a "best practice", but over the years I have found that approach to be very useful/practical.

-Rick


On 3/30/21, 4:25 PM, "lustre-discuss on behalf of Kumar, Amit" <lustre-discuss-bounces at lists.lustre.org on behalf of ahkumar at mail.smu.edu> wrote:

    Hi David,

    Thank you for your reply. Yes I would like to use the isolation mentioned in the link you shared, but a bit differently. I did a bit of reading but it appears to me, that Isolation provided by filesets feature allows me to mount sub-directory in isolation of the root directory, and using nodemap allows me to squash or map uid/gid on a set of clients. Based on my understanding this would not help me, I hope I am wrong. 

    Here is what I am trying: I still want the entire namespace mounted on all clients, but exclude access to one of the sub-directory from the namespace on a handful of clients. Rational: we have some datasets that resides in a sub-directory, and given lustre namespace is mounted on login servers which are not setup behind a 2FA authentication system, the entity providing us the data set has raised concerns and hence we are trying to look for options around this. We do have a place to put the data elsewhere at the moment, but I would like to explore options not all our file systems are as large as Lustre and it could benefit when the need arises. 

    Best Regards,
    Amit

More information about the lustre-discuss mailing list