diff --git a/pages/merlin6/02-How-To-Use-Merlin/kerberos.md b/pages/merlin6/02-How-To-Use-Merlin/kerberos.md index 77495e8..7bd7380 100644 --- a/pages/merlin6/02-How-To-Use-Merlin/kerberos.md +++ b/pages/merlin6/02-How-To-Use-Merlin/kerberos.md @@ -108,7 +108,7 @@ Then, from inside the batch script one can obtain granting tickets for Kerberos The steps should be the following: * Setup `KRB5CCNAME`, which can be used to specify the location of the Kerberos5 credentials (ticket) cache. In general it should point to a shared area -(`$HOME/.k5` is a good location), and is strongly recommended to generate an independent Kerberos5 cache (it is, creating a new cache for each job): +(`$HOME/.k5` is a good location), and is strongly recommended to generate an independent Kerberos5 credential cache (it is, creating a new credential cache per Slurm job): ```bash export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX")" ``` @@ -127,10 +127,9 @@ kdestroy ### Slurm batch script example: obtaining KRB+AFS granting tickets +#### Example 1: Independent crendetial cache per Slurm job -#### Example 1: independent cache file - -This is the recommended way: +This is the **recommended** way. At the end of the job, is strongly recommended to remove / destroy the existing kerberos tickets. ```bash #!/bin/bash @@ -155,21 +154,20 @@ echo "Here should go my batch script code." # Destroy Kerberos tickets created for this job only kdestroy klist - -# Remove the remaining cache file -rm -f $KRB5CCNAME ``` +#### Example 2: Shared credential cache -#### Example 2: shared cache file +Some users may need/prefer to run with a shared cache file. For doing that, one needs to +setup `KRB5CCNAME` from the **login node** session, before submitting the job. -Some users may need/prefer to run with a shared cache file. - -* From the login nodes: ```bash export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX")" ``` -* Run the job script. `KRB5CCNAME` will be set in the environment of the job itself: + +Then, you can run one or multiple jobs scripts (or parallel job with `srun`). `KRB5CCNAME` will be propagated to the +job script or to the parallel job, therefore a single credential cache will be shared amongst different Slurm runs. + ```bash #!/bin/bash @@ -190,4 +188,6 @@ aklog klist echo "Here should go my batch script code." + +echo "No need to run 'kdestroy', as it may have to survive for running other jobs" ```