[lustre-discuss] getting "permission dendied" on mount when trying to use nodemaps for root squashing
Andreas Dilger
adilger at thelustrecollective.com
Tue Feb 10 13:48:39 PST 2026
On Feb 9, 2026, at 08:05, Kurt Strosahl via lustre-discuss <lustre-discuss at lists.lustre.org> wrote:
>
> Good Morning,
>
> I'm trying to set up nodemaps on a new lustre file system. Presently when I turn on the nodemaps I get permission denied for servers in the default nodemap.
>
> I've defined two custom nodemaps. An AdminSystems nodemap (for servers that will need to perform actions as root, and a LustreServers nodemap (for the lustre servers themselves)
>
> Every other client will be in the default map. (whose gid/uid/projid mappings we trust)
>
> I set the following:
> [root at scmds2501 ~]# lctl get_param nodemap.*.admin_nodemap
> nodemap.AdminSystems.admin_nodemap=1
> nodemap.LustreServers.admin_nodemap=1
> Nodemap.default.admin_nodemap=0
>
> [root at scmds2501 ~]# lctl get_param nodemap.*.trusted_nodemap
> nodemap.AdminSystems.trusted_nodemap=1
> nodemap.LustreServers.trusted_nodemap=1
> Nodemap.default.trusted_nodemap=1
>
> When I turn on the nodemap feature I get a permission denied when mounting on a client node that isn't in the Admin nodemap.
Kurt, I'm not a nodemap expert, but you probably need to check some things on your side:
- can client mountpoints on the Admin/Server nodes work properly?
- are the nodemaps configured properly on all nodes (i.e. MGS)?
- are there other nodemap parameters on the default nodemap set correctly?
- any messages in the server console or debug logs to explain the error?
There have been a few LUG/LAD presentations on nodemaps that may help:
https://wiki.lustre.org/images/5/5c/LUG2018-Multitenancy-Buisson.pdf
https://wiki.lustre.org/images/3/3d/LUG2025-Lustre_Multitenancy-Buisson.pdf
https://www.eofs.eu/wp-content/uploads/2025/09/06-Vef-Lustre_Nodemap_Update-V1.pdf
https://www.eofs.eu/wp-content/uploads/2025/09/07-Buisson-Nodemap-membership-paradigms.pdf
> Interestingly, on a test client that was mounted before I turned on the nodemap I can write files as myself (into a directory that I established beforehand owned by me).
>
> Our desired end state is an Admin nodemap we can add and remove systems to as needed that can take action as root, and all other lustre clients being able to access the file system, but having no root access. The LustreServers nodemap is there to keep the lustre file servers themselves safe from any unexpected changes.
>
> w/r,
> Kurt J. Strosahl (he/him)
> System Administrator: Lustre, HPC
> Scientific Computing Group, Thomas Jefferson National Accelerator Facility
> _______________________________________________
> lustre-discuss mailing list
> lustre-discuss at lists.lustre.org
> http://lists.lustre.org/listinfo.cgi/lustre-discuss-lustre.org
More information about the lustre-discuss
mailing list