HPCE/gitea-pages
HPCE/gitea-pages
0
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Activity

kerberos update

Browse Source
This commit is contained in:
caubet_m 2022-07-15 15:22:12 +02:00
parent 7e8b56e0f7
commit 2d267ae8d2
1 changed files with 12 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
pages/merlin6/02-How-To-Use-Merlin/kerberos.md
View File

@ -108,7 +108,7 @@ Then, from inside the batch script one can obtain granting tickets for Kerberos
The steps should be the following:
* Setup `KRB5CCNAME`, which can be used to specify the location of the Kerberos5 credentials (ticket) cache. In general it should point to a shared area
(`$HOME/.k5` is a good location), and is strongly recommended to generate an independent Kerberos5 cache (it is, creating a new cache for each job):
(`$HOME/.k5` is a good location), and is strongly recommended to generate an independent Kerberos5 credential cache (it is, creating a new credential cache per Slurm job):
```bash
export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX")"
```
@ -127,10 +127,9 @@ kdestroy
### Slurm batch script example: obtaining KRB+AFS granting tickets
#### Example 1: Independent crendetial cache per Slurm job
#### Example 1: independent cache file
This is the recommended way:
This is the **recommended** way. At the end of the job, is strongly recommended to remove / destroy the existing kerberos tickets.
```bash
#!/bin/bash
@ -155,21 +154,20 @@ echo "Here should go my batch script code."
# Destroy Kerberos tickets created for this job only
kdestroy
klist
# Remove the remaining cache file
rm -f $KRB5CCNAME
```
#### Example 2: Shared credential cache
#### Example 2: shared cache file
Some users may need/prefer to run with a shared cache file. For doing that, one needs to
setup `KRB5CCNAME` from the **login node** session, before submitting the job.
Some users may need/prefer to run with a shared cache file.
* From the login nodes:
```bash
export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX")"
```
* Run the job script. `KRB5CCNAME` will be set in the environment of the job itself:
Then, you can run one or multiple jobs scripts (or parallel job with `srun`). `KRB5CCNAME` will be propagated to the
job script or to the parallel job, therefore a single credential cache will be shared amongst different Slurm runs.
```bash
#!/bin/bash
@ -190,4 +188,6 @@ aklog
klist
echo "Here should go my batch script code."
echo "No need to run 'kdestroy', as it may have to survive for running other jobs"
```