TLC Lustre Repository Browser - lctl-nodemap-modify.8

Viewing: lctl-nodemap-modify.8

.TH LCTL-NODEMAP_MODIFY 8 2025-07-09 Lustre "Lustre Configuration Utilities"
.SH NAME
lctl-nodemap_modify \- modify a nodemap property
.SH SYNOPSIS
.SY "lctl nodemap_modify"
or
.SY "lctl nodemap modify"
.BI --name " NODEMAP_NAME"
.B --property
.IR PROPERTY_NAME {\fB= VALUE |\fB--value " VALUE" }
.YS
.SH DESCRIPTION
.B nodemap_modify
modifies a property of the given nodemap.
.SH OPTIONS
.TP
.BI --name " NODEMAP_NAME"
The name of the nodemap to modify
.TP
.B --property
.IR PROPERTY_NAME {\fB= VALUE |\fB--value " VALUE" }
.TP
One of the following properties:
.RS 8
.TP 4
.B admin
Defaults to 0. If set to 1, then root will NOT be squashed. By default,
the root user is mapped to the value of squash_uid.
.TP
.B trusted
Defaults to 0. If set to 1, then user mapping will be disabled for all
non-root users. This means that the identities provided by the client will be
trusted to match the identities of the file system. By default, the client user
identities are mapped to the file system identities based on the nodemap rules.
.TP
.B squash_uid
Defaults to
.B NODEMAP_NOBODY_UID
if not specified, which is 65534 to match the standard Linux
.B nobody
user ID.
The user ID that unknown users (if not
.BR trusted " ) and "
.BR root " (if not " admin )
should be mapped to.
When offsets are defined on the nodemap, the squash value should be in the
offset range [ 0, offset_limit-1 ], otherwise squashed UIDs would escape
offsetting.
Note squashing to UID 0 (root) is not permitted.
.TP
.B squash_gid
Defaults to
.B NODEMAP_NOBODY_UID
if not specified, which is 65534 to match the standard Linux
.B nobody
user ID.
The group ID that unknown groups (if not trusted)
and root (if not admin) should be mapped to.
When offsets are defined on the nodemap, the squash value should be in the
offset range [ 0, offset_limit-1 ], otherwise squashed GIDs would escape
offsetting.
Note squashing to GID 0 (root) is not permitted.
.TP
.B squash_projid
Defaults to
.B NODEMAP_NOBODY_UID
if not specified, which is 65534 to match the standard Linux
.B nobody
user ID.
The project ID that unknown projects (if not trusted) should be mapped to.
When offsets are defined on the nodemap, the squash value should be in the
offset range [ 0, offset_limit-1 ], otherwise squashed PROJIDs would escape
offsetting.
.TP
.B deny_unknown
Defaults to 0. If set to 1 then unknown (squashed) users will be denied
access to the filesystem completely instead of just being squashed. Users are
considered unknown by nodemap if the admin flag is off and the user is root, or
trusted are set to off and the user is not mapped.
.IP
Note: directory entries cached by a Lustre client may be visible to unknown
users located on the same client, though the contents of the files will not be.
.TP
.B audit_mode
Defaults to 1, which lets clients record file system access events to the
Changelogs, if Changelogs are otherwise activated. If set to 0, events from
these clients are not logged into the Changelogs, no matter if Changelogs are
activated or not.
The reason not to record file system events from given clients is to prevent
some nodes (e.g. backup, HSM agent nodes) from flooding the Changelogs.
.TP
.B map_mode
Defaults to all, which means the nodemap maps UIDs, GIDs, and PROJIDs.
Other possible values (multiple can be specified, comma separated) are uid to
map UIDs, gid to map GIDs, both to map UIDs and GIDs, and projid to map PROJIDs.
.TP
.B forbid_encryption
Defaults to 0, which means encryption is allowed.
Set to 1 to prevent clients from using encryption.
.TP
.B child_raise_privileges
Defaults to none, allowing child nodemaps to only lower privileges established
by parent nodemap. Other possible values (multiple can be specified, comma
separated) are the nodemap properties names that support privilege raise:
.br
- admin
.br
- trusted
.br
- deny_unknown
.br
- readonly_mount
.br
- forbid_encryption
.br
- child_raise_privs
.br
- caps
.br
- deny_mount
.br
It is also possible to specify any roles accepted by the
.B rbac
property (see below).
.br
Any privilege not explicitly specified cannot be raised. To allow all privileges
to be raised, use 'all' value.
.TP
.B readonly_mount
Defaults to 0, which lets clients mount in read-write mode. If set to 1,
clients are forced to a read-only mount if not specified explicitly.
.TP
.B deny_mount
Defaults to 0, accepting client mounts from nodes assigned to the nodemap. If
set to 1, nodes assigned to the nodemap can no longer mount new Lustre clients.
Existing clients remain operational until a remount is attempted.
.TP
.B rbac
Property available on regular nodemaps but also on the default nodemap.
Defaults to
.RB ' all ',
which means all roles are allowed.
Other possible values (multiple can be specified, comma separated) are:
.br
.RB - byfid_ops ,
allow operations by FID (e.g.
.BR lfs-rmfid (1),
.BR lfs-fid2path (1)).
.br
.RB - chlg_ops ,
allow use of Changelogs (e.g.
.BR lfs-changelog (1)).
.br
.RB - dne_ops ,
allow client DNE operations (e.g.
.BR lfs-setdirstripe (1)).
.br
.RB - file_perms ,
allow changing file permissions and owners (e.g.
.BR chmod (1),
.BR chown (1)).
.br
.RB - fscrypt_admin ,
allow fscrypt related admin tasks (create or modify protectors/policies).
Note that even without this role,
it is still possible to lock or unlock encrypted directories,
as these operations only need read access to fscrypt metadata.
.br
.RB - foreign_ops ,
create foreign dirs (e.g.
.RB ' "lfs setdirstripe --foreign" ').
.br
.RB - hsm_ops ,
allow client HSM operations (e.g.
.BR lfs-hsm (1)).
.br
.RB - ignore_root_prjquota ,
project quota not enforced for root user.
.br
.RB - local_admin ,
allow mapped root file operations, unless squashed (e.g.
.BR chown (1),
.BR chgrp (1)).
Unavailable on default nodemap, as there are id mappings or offsets
possible on the default nodemap.
.br
.RB - quota_ops ,
allow UID/GID/ProjID quota changes (e.g.
.BR lfs-setquota (1)).
.br
.RB - lqa_quota_ops ,
to allow LQA quota modifications (e.g.
.BR lctl-lqa "(8), '" "lfs setquota --lqa" ').
.br
.RB - pool_quota_ops ,
allow pool quota changes (e.g.
.RB ' "lfs setquota --pool" ').
.br
.RB - projid_set ,
to allow setting project ID on files and directories (e.g..
.BR lfs-project (1),
.BR chattr (1)).
.br
.RB - server_upcall ,
to define which identity upcall to use (see
.BR mdt.identity_upcall (4)).
If set, identity upcall is defined by server side tunable.
If not set, identity upcall is forced to INTERNAL,
so that servers trust supplementary groups as provided by clients.
.br
Apart from
.RB ' all ',
any role not explicitly specified is forbidden.  To forbid all roles, use
.RB ' none '.
.br
Roles can also be updated incrementally using '+' and '-' operators (e.g.,
Use '+dne_ops' to add a role, or '-file_perms' to remove a role) without specifying
the full set of roles.
.TP
.B gssonly_identification
If set to 1, clients for this nodemap are no longer identified based on their
NIDs, but instead by the GSS token they are using to authenticate. Consequently,
a nodemap with this property set cannot have any NID ranges defined. Any client
using the GSS token associated with this nodemap to authenticate is considered
part of this nodemap.
.br
Defaults to 0.
.RE
.TP
.BI --value " VALUE"
The value to set for the property. Should be 0 or 1 for admin and trusted.
The use of both
.BI --property " PROPERTY_NAME" = VALUE
and
.BI --value " VALUE"
is invalid.
.SH EXAMPLES
Commands illustrating how to modify nodemap properties:
.EX
.B # lctl nodemap_modify --name remotesite --property trusted --value 1
.B # lctl nodemap_modify --name remotesite --property admin --value 1
.B # lctl nodemap_modify --name remotesite --property map_mode --value uid
.B # lctl nodemap_modify --name remotesite --property rbac=all
.B # lctl nodemap_modify --name remotesite --property rbac=+hsm_ops,-file_perms
.B # lctl nodemap_modify --name othersite --property squash_uid --value 101
.EE
.SH AVAILABILITY
.B lctl nodemap_modify
is part of the
.BR lustre (7)
filesystem package since release 2.6.0
.\" Added in commit v2_5_56_0-13-g4642f30970
.SH SEE ALSO
.BR lustre (7),
.BR mdt.enable_foreign_dir (4),
.BR mdt.enable_remote_dir (4),
.BR mdt.identity_upcall (4),
.BR lctl-nodemap-activate (8),
.BR lctl-nodemap-add-idmap (8),
.BR lctl-nodemap-add-offset (8),
.BR lctl-nodemap-add-range (8),
.BR lctl-nodemap-del (8),
.BR lctl-nodemap-del-idmap (8),
.BR lctl-nodemap-del-offset (8),
.BR lctl-nodemap-del-range (8),
.BR lctl-nodemap-new (8)