diff --git a/pages/merlin6/02-How-To-Use-Merlin/kerberos.md b/pages/merlin6/02-How-To-Use-Merlin/kerberos.md index ebac79d..77495e8 100644 --- a/pages/merlin6/02-How-To-Use-Merlin/kerberos.md +++ b/pages/merlin6/02-How-To-Use-Merlin/kerberos.md @@ -108,19 +108,9 @@ Then, from inside the batch script one can obtain granting tickets for Kerberos The steps should be the following: * Setup `KRB5CCNAME`, which can be used to specify the location of the Kerberos5 credentials (ticket) cache. In general it should point to a shared area -(`$HOME/.k5` is a good location), and is strongly recommended to generate a shared Kerberos5 cache (in example, in that way one can always refresh -granting tickets for long jobs from anywhere): - +(`$HOME/.k5` is a good location), and is strongly recommended to generate an independent Kerberos5 cache (it is, creating a new cache for each job): ```bash -# Example one: Shared Kerberos5 cache -# Same cache file for all jobs -# Generally, always the recommended option export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX")" - -# Example two: Independent Kerberos5 cache -# ${SLURM_JOBID} will make the cache independent per job -# Use it only if necessary -export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX-{SLURM_JOBID}")" ``` * To obtain a Kerberos5 granting ticket, run `kinit` by using your keytab: ```bash @@ -129,13 +119,18 @@ kinit -kt "$HOME/.k5/krb5.keytab" $USER@D.PSI.CH * To obtain a granting AFS ticket, run `aklog`: ```bash aklog -``** +``` +* At the end of the job, you can remove destroy existing Kerberos tickets. +```bash +kdestroy +``` ### Slurm batch script example: obtaining KRB+AFS granting tickets -#### Example 1: shared cache file -This is the **recommended*** way for running: +#### Example 1: independent cache file + +This is the recommended way: ```bash #!/bin/bash @@ -155,29 +150,6 @@ kinit -kt "$HOME/.k5/krb5.keytab" $USER@D.PSI.CH aklog klist -echo "Here should go my batch script code." -``` - -#### Example 2: independent cache file - -```bash -#!/bin/bash -#SBATCH --partition=hourly # Specify 'general' or 'daily' or 'hourly' -#SBATCH --time=01:00:00 # Strictly recommended when using 'general' partition. -#SBATCH --output=run.out # Generate custom output file -#SBATCH --error=run.err # Generate custom error file -#SBATCH --nodes=1 # Uncomment and specify #nodes to use -#SBATCH --ntasks=1 # Uncomment and specify #nodes to use -#SBATCH --cpus-per-task=1 -#SBATCH --constraint=xeon-gold-6152 -#SBATCH --hint=nomultithread -#SBATCH --job-name=krb5 - -export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX-${SLURM_JOBID}")" -kinit -kt "$HOME/.k5/krb5.keytab" $USER@D.PSI.CH -aklog -klist - echo "Here should go my batch script code." # Destroy Kerberos tickets created for this job only @@ -187,3 +159,35 @@ klist # Remove the remaining cache file rm -f $KRB5CCNAME ``` + + +#### Example 2: shared cache file + +Some users may need/prefer to run with a shared cache file. + +* From the login nodes: +```bash +export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX")" +``` +* Run the job script. `KRB5CCNAME` will be set in the environment of the job itself: +```bash + +#!/bin/bash +#SBATCH --partition=hourly # Specify 'general' or 'daily' or 'hourly' +#SBATCH --time=01:00:00 # Strictly recommended when using 'general' partition. +#SBATCH --output=run.out # Generate custom output file +#SBATCH --error=run.err # Generate custom error file +#SBATCH --nodes=1 # Uncomment and specify #nodes to use +#SBATCH --ntasks=1 # Uncomment and specify #nodes to use +#SBATCH --cpus-per-task=1 +#SBATCH --constraint=xeon-gold-6152 +#SBATCH --hint=nomultithread +#SBATCH --job-name=krb5 + +# KRB5CCNAME is inherit from the login node session +kinit -kt "$HOME/.k5/krb5.keytab" $USER@D.PSI.CH +aklog +klist + +echo "Here should go my batch script code." +```