Re: [lustre-discuss] [EXTERNAL] getting "permission dendied" on mount when trying to use nodemaps for root squashing

[Kurt Strosahl via lustre-discuss]

Here is the full config.  I've checked that all the Lustre servers (combined 
mds/mdt with a failover, six oss systems) are in the LustreServers nodemap.


[root@scmds2501 ~]# lctl get_param -R nodemap.*
nodemap.AdminSystems.admin_nodemap=1
nodemap.AdminSystems.audit_mode=1
nodemap.AdminSystems.deny_unknown=0
nodemap.AdminSystems.exports=
[

]
nodemap.AdminSystems.fileset=
nodemap.AdminSystems.forbid_encryption=0
nodemap.AdminSystems.id=2
nodemap.AdminSystems.idmap=
[

]
nodemap.AdminSystems.map_mode=all
nodemap.AdminSystems.ranges=
[
 { id: 25, start_nid: 172.17.1.234@o2ib, end_nid: 172.17.1.234@o2ib },
 { id: 24, start_nid: 172.17.0.13@o2ib, end_nid: 172.17.0.13@o2ib },
 { id: 23, start_nid: 172.17.0.232@o2ib, end_nid: 172.17.0.232@o2ib },
 { id: 22, start_nid: 172.17.17.140@o2ib, end_nid: 172.17.17.140@o2ib },
 { id: 21, start_nid: 172.17.17.134@o2ib, end_nid: 172.17.17.134@o2ib },
 { id: 20, start_nid: 172.17.1.225@o2ib, end_nid: 172.17.1.225@o2ib },
 { id: 19, start_nid: 172.17.0.18@o2ib, end_nid: 172.17.0.18@o2ib },
 { id: 18, start_nid: 172.17.1.233@o2ib, end_nid: 172.17.1.233@o2ib },
 { id: 17, start_nid: 172.17.1.230@o2ib, end_nid: 172.17.1.230@o2ib },
 { id: 16, start_nid: 172.17.0.178@o2ib, end_nid: 172.17.0.178@o2ib },
 { id: 15, start_nid: 172.17.0.177@o2ib, end_nid: 172.17.0.177@o2ib },
 { id: 14, start_nid: 172.17.0.176@o2ib, end_nid: 172.17.0.176@o2ib },
 { id: 13, start_nid: 172.17.0.175@o2ib, end_nid: 172.17.0.175@o2ib },
 { id: 12, start_nid: 172.17.0.154@o2ib, end_nid: 172.17.0.154@o2ib },
 { id: 11, start_nid: 172.17.0.153@o2ib, end_nid: 172.17.0.153@o2ib },
 { id: 10, start_nid: 172.17.0.46@o2ib, end_nid: 172.17.0.46@o2ib },
 { id: 9, start_nid: 172.17.0.45@o2ib, end_nid: 172.17.0.45@o2ib },
 { id: 8, start_nid: 172.17.0.44@o2ib, end_nid: 172.17.0.44@o2ib },
 { id: 7, start_nid: 172.17.0.43@o2ib, end_nid: 172.17.0.43@o2ib },
 { id: 6, start_nid: 172.17.1.17@o2ib, end_nid: 172.17.1.17@o2ib },
 { id: 5, start_nid: 172.17.1.16@o2ib, end_nid: 172.17.1.16@o2ib }
]
nodemap.AdminSystems.sepol=
nodemap.AdminSystems.squash_gid=99
nodemap.AdminSystems.squash_projid=99
nodemap.AdminSystems.squash_uid=99
nodemap.AdminSystems.trusted_nodemap=1
nodemap.LustreServers.admin_nodemap=1
nodemap.LustreServers.audit_mode=1
nodemap.LustreServers.deny_unknown=0
nodemap.LustreServers.exports=
[
 { nid: 172.17.0.29@o2ib, uuid: lustre25-MDT0000-lwp-OST0001_UUID }, { nid: 
172.17.0.31@o2ib, uuid: lustre25-MDT0000-lwp-OST0003_UUID }, { nid: 
172.17.0.30@o2ib, uuid: lustre25-MDT0000-lwp-OST0002_UUID }, { nid: 
172.17.0.33@o2ib, uuid: lustre25-MDT0000-lwp-OST0005_UUID }, { nid: 
172.17.0.32@o2ib, uuid: lustre25-MDT0000-lwp-OST0004_UUID }, { nid: 
172.17.0.27@o2ib, uuid: lustre25-MDT0000-lwp-OST0000_UUID }, { nid: 0@lo, uuid: 
lustre25-MDT0000-lwp-MDT0000_UUID },
]
nodemap.LustreServers.fileset=
nodemap.LustreServers.forbid_encryption=0
nodemap.LustreServers.id=1
nodemap.LustreServers.idmap=
[

]
nodemap.LustreServers.map_mode=all
nodemap.LustreServers.ranges=
[
 { id: 4, start_nid: 172.17.0.29@o2ib, end_nid: 172.17.0.33@o2ib },
 { id: 3, start_nid: 172.17.0.27@o2ib, end_nid: 172.17.0.27@o2ib },
 { id: 2, start_nid: 172.17.0.22@o2ib, end_nid: 172.17.0.22@o2ib },
 { id: 1, start_nid: 172.17.0.14@o2ib, end_nid: 172.17.0.14@o2ib }
]
nodemap.LustreServers.sepol=
nodemap.LustreServers.squash_gid=99
nodemap.LustreServers.squash_projid=99
nodemap.LustreServers.squash_uid=99
nodemap.LustreServers.trusted_nodemap=1
nodemap.active=0
nodemap.default.admin_nodemap=0
nodemap.default.audit_mode=1
nodemap.default.deny_unknown=0
nodemap.default.exports=
[
 { nid: 172.17.1.127@o2ib, uuid: 5dd1bac6-cb91-1169-183d-f084efaba32d }, { nid: 
172.17.1.221@o2ib, uuid: bd67c3f7-8a44-4fac-8685-2e234742a2c2 },
]
nodemap.default.fileset=
nodemap.default.forbid_encryption=0
nodemap.default.id=0
nodemap.default.map_mode=all
nodemap.default.squash_gid=99
nodemap.default.squash_projid=99
nodemap.default.squash_uid=99
nodemap.default.trusted_nodemap=1
________________________________
From: Sebastien Buisson <sbuis...@ddn.com>
Sent: Wednesday, February 11, 2026 2:56 PM
To: Kurt Strosahl <stros...@jlab.org>
Cc: lustre-discuss@lists.lustre.org <lustre-discuss@lists.lustre.org>; Mohr, 
Rick <moh...@ornl.gov>; Aurelien Degremont <adegrem...@nvidia.com>
Subject: Re: [lustre-discuss] [EXTERNAL] getting "permission dendied" on mount 
when trying to use nodemaps for root squashing

Kurt,

Could you please dump your whole nodemap config, via:
MGS# lctl get_param -R nodemap.*

It would be particularly interesting to see which values are set for the 
deny_unknown (which should be 0) and squash_{uid,gid,projid} properties (which 
should not be 0).
Also, what is the Lustre version you are using, on client and on server sides?

Cheers,
Sebastien.

Le 11 févr. 2026 à 21:25, Aurelien Degremont via lustre-discuss 
<lustre-discuss@lists.lustre.org> a écrit :

Kurt,

I'm using nodemaps for root_squash and this is working for me. Your setup seems 
correct wrt to admin and trusted flags.
So, there must be something wrong somethere, but on the principle what you 
described in your e-mail is correct.


Aurélien
________________________________
De : lustre-discuss 
<lustre-discuss-boun...@lists.lustre.org<mailto:lustre-discuss-boun...@lists.lustre.org>>
 de la part de Mohr, Rick via lustre-discuss 
<lustre-discuss@lists.lustre.org<mailto:lustre-discuss@lists.lustre.org>>
Envoyé : mercredi 11 février 2026 08:02
À : Kurt Strosahl <stros...@jlab.org<mailto:stros...@jlab.org>>; 
lustre-discuss@lists.lustre.org<mailto:lustre-discuss@lists.lustre.org> 
<lustre-discuss@lists.lustre.org<mailto:lustre-discuss@lists.lustre.org>>
Objet : Re: [lustre-discuss] [EXTERNAL] getting "permission dendied" on mount 
when trying to use nodemaps for root squashing

External email: Use caution opening links or attachments


Kurt,

It sounds look you are using nodemaps primarily to squash root access.  Prior 
to nodemaps, there were a couple of parameters that were used to control this 
(root_squash and nosquash_nids).  I don't see them mentioned in the latest 
lustre manual, so I assume they are deprecated in favor of nodemap.  But the 
parameters still exist in the code afaik.  I've not tried them recently to see 
if they still work, but if they do, I suppose you could try using them to see 
if you get the desired effect.  It might be a long shot, but perhaps getting 
those parameters working (or not working) might shed some light on what might 
be wrong with your nodemap.

--Rick


On 2/9/26, 10:11 AM, "lustre-discuss on behalf of Kurt Strosahl via 
lustre-discuss" <lustre-discuss-boun...@lists.lustre.org 
<mailto:lustre-discuss-boun...@lists.lustre.org> on behalf of 
lustre-discuss@lists.lustre.org <mailto:lustre-discuss@lists.lustre.org>> wrote:


Good Morning,

I'm trying to set up nodemaps on a new lustre file system. Presently when I 
turn on the nodemaps I get permission denied for servers in the default nodemap.

I've defined two custom nodemaps. An AdminSystems nodemap (for servers that 
will need to perform actions as root, and a LustreServers nodemap (for the 
lustre servers themselves)

Every other client will be in the default map. (whose gid/uid/projid mappings 
we trust)

I set the following:
[root@scmds2501 ~]# lctl get_param nodemap.*.admin_nodemap
nodemap.AdminSystems.admin_nodemap=1
nodemap.LustreServers.admin_nodemap=1
Nodemap.default.admin_nodemap=0

[root@scmds2501 ~]# lctl get_param nodemap.*.trusted_nodemap
nodemap.AdminSystems.trusted_nodemap=1
nodemap.LustreServers.trusted_nodemap=1
Nodemap.default.trusted_nodemap=1

When I turn on the nodemap feature I get a permission denied when mounting on a 
client node that isn't in the Admin nodemap.

Interestingly, on a test client that was mounted before I turned on the nodemap 
I can write files as myself (into a directory that I established beforehand 
owned by me).

Our desired end state is an Admin nodemap we can add and remove systems to as 
needed that can take action as root, and all other lustre clients being able to 
access the file system, but having no root access. The LustreServers nodemap is 
there to keep the lustre file servers themselves safe from any unexpected 
changes.

w/r,
Kurt J. Strosahl (he/him)
System Administrator: Lustre, HPC
Scientific Computing Group, Thomas Jefferson National Accelerator Facility









_______________________________________________
lustre-discuss mailing list
lustre-discuss@lists.lustre.org
http://lists.lustre.org/listinfo.cgi/lustre-discuss-lustre.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.lustre.org_listinfo.cgi_lustre-2Ddiscuss-2Dlustre.org&d=DwMGaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=a1-ymUluZsecMceDMlAHsomwMJl4Iqg-UcfvwQZVldk&m=9vwIRYvlPd_HtH08F4vWU-MUymQdyOCt88gxAU1zFcEahRnpRu5W-t0FSzIJ0zOh&s=WYg-hNwcK85GVnHM7PLFUaDwcFXy18dW2_K5rYxgM0c&e=>
_______________________________________________
lustre-discuss mailing list
lustre-discuss@lists.lustre.org<mailto:lustre-discuss@lists.lustre.org>
http://lists.lustre.org/listinfo.cgi/lustre-discuss-lustre.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.lustre.org_listinfo.cgi_lustre-2Ddiscuss-2Dlustre.org&d=DwMGaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=a1-ymUluZsecMceDMlAHsomwMJl4Iqg-UcfvwQZVldk&m=9vwIRYvlPd_HtH08F4vWU-MUymQdyOCt88gxAU1zFcEahRnpRu5W-t0FSzIJ0zOh&s=WYg-hNwcK85GVnHM7PLFUaDwcFXy18dW2_K5rYxgM0c&e=>


_______________________________________________
lustre-discuss mailing list
lustre-discuss@lists.lustre.org
http://lists.lustre.org/listinfo.cgi/lustre-discuss-lustre.org