kerberos update
This commit is contained in:
parent
c64149733f
commit
7e8b56e0f7
@ -108,19 +108,9 @@ Then, from inside the batch script one can obtain granting tickets for Kerberos
|
|||||||
The steps should be the following:
|
The steps should be the following:
|
||||||
|
|
||||||
* Setup `KRB5CCNAME`, which can be used to specify the location of the Kerberos5 credentials (ticket) cache. In general it should point to a shared area
|
* Setup `KRB5CCNAME`, which can be used to specify the location of the Kerberos5 credentials (ticket) cache. In general it should point to a shared area
|
||||||
(`$HOME/.k5` is a good location), and is strongly recommended to generate a shared Kerberos5 cache (in example, in that way one can always refresh
|
(`$HOME/.k5` is a good location), and is strongly recommended to generate an independent Kerberos5 cache (it is, creating a new cache for each job):
|
||||||
granting tickets for long jobs from anywhere):
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Example one: Shared Kerberos5 cache
|
|
||||||
# Same cache file for all jobs
|
|
||||||
# Generally, always the recommended option
|
|
||||||
export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX")"
|
export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX")"
|
||||||
|
|
||||||
# Example two: Independent Kerberos5 cache
|
|
||||||
# ${SLURM_JOBID} will make the cache independent per job
|
|
||||||
# Use it only if necessary
|
|
||||||
export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX-{SLURM_JOBID}")"
|
|
||||||
```
|
```
|
||||||
* To obtain a Kerberos5 granting ticket, run `kinit` by using your keytab:
|
* To obtain a Kerberos5 granting ticket, run `kinit` by using your keytab:
|
||||||
```bash
|
```bash
|
||||||
@ -129,13 +119,18 @@ kinit -kt "$HOME/.k5/krb5.keytab" $USER@D.PSI.CH
|
|||||||
* To obtain a granting AFS ticket, run `aklog`:
|
* To obtain a granting AFS ticket, run `aklog`:
|
||||||
```bash
|
```bash
|
||||||
aklog
|
aklog
|
||||||
``**
|
```
|
||||||
|
* At the end of the job, you can remove destroy existing Kerberos tickets.
|
||||||
|
```bash
|
||||||
|
kdestroy
|
||||||
|
```
|
||||||
|
|
||||||
### Slurm batch script example: obtaining KRB+AFS granting tickets
|
### Slurm batch script example: obtaining KRB+AFS granting tickets
|
||||||
|
|
||||||
#### Example 1: shared cache file
|
|
||||||
|
|
||||||
This is the **recommended*** way for running:
|
#### Example 1: independent cache file
|
||||||
|
|
||||||
|
This is the recommended way:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
@ -155,29 +150,6 @@ kinit -kt "$HOME/.k5/krb5.keytab" $USER@D.PSI.CH
|
|||||||
aklog
|
aklog
|
||||||
klist
|
klist
|
||||||
|
|
||||||
echo "Here should go my batch script code."
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Example 2: independent cache file
|
|
||||||
|
|
||||||
```bash
|
|
||||||
#!/bin/bash
|
|
||||||
#SBATCH --partition=hourly # Specify 'general' or 'daily' or 'hourly'
|
|
||||||
#SBATCH --time=01:00:00 # Strictly recommended when using 'general' partition.
|
|
||||||
#SBATCH --output=run.out # Generate custom output file
|
|
||||||
#SBATCH --error=run.err # Generate custom error file
|
|
||||||
#SBATCH --nodes=1 # Uncomment and specify #nodes to use
|
|
||||||
#SBATCH --ntasks=1 # Uncomment and specify #nodes to use
|
|
||||||
#SBATCH --cpus-per-task=1
|
|
||||||
#SBATCH --constraint=xeon-gold-6152
|
|
||||||
#SBATCH --hint=nomultithread
|
|
||||||
#SBATCH --job-name=krb5
|
|
||||||
|
|
||||||
export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX-${SLURM_JOBID}")"
|
|
||||||
kinit -kt "$HOME/.k5/krb5.keytab" $USER@D.PSI.CH
|
|
||||||
aklog
|
|
||||||
klist
|
|
||||||
|
|
||||||
echo "Here should go my batch script code."
|
echo "Here should go my batch script code."
|
||||||
|
|
||||||
# Destroy Kerberos tickets created for this job only
|
# Destroy Kerberos tickets created for this job only
|
||||||
@ -187,3 +159,35 @@ klist
|
|||||||
# Remove the remaining cache file
|
# Remove the remaining cache file
|
||||||
rm -f $KRB5CCNAME
|
rm -f $KRB5CCNAME
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
#### Example 2: shared cache file
|
||||||
|
|
||||||
|
Some users may need/prefer to run with a shared cache file.
|
||||||
|
|
||||||
|
* From the login nodes:
|
||||||
|
```bash
|
||||||
|
export KRB5CCNAME="$(mktemp "$HOME/.k5/krb5cc_XXXXXX")"
|
||||||
|
```
|
||||||
|
* Run the job script. `KRB5CCNAME` will be set in the environment of the job itself:
|
||||||
|
```bash
|
||||||
|
|
||||||
|
#!/bin/bash
|
||||||
|
#SBATCH --partition=hourly # Specify 'general' or 'daily' or 'hourly'
|
||||||
|
#SBATCH --time=01:00:00 # Strictly recommended when using 'general' partition.
|
||||||
|
#SBATCH --output=run.out # Generate custom output file
|
||||||
|
#SBATCH --error=run.err # Generate custom error file
|
||||||
|
#SBATCH --nodes=1 # Uncomment and specify #nodes to use
|
||||||
|
#SBATCH --ntasks=1 # Uncomment and specify #nodes to use
|
||||||
|
#SBATCH --cpus-per-task=1
|
||||||
|
#SBATCH --constraint=xeon-gold-6152
|
||||||
|
#SBATCH --hint=nomultithread
|
||||||
|
#SBATCH --job-name=krb5
|
||||||
|
|
||||||
|
# KRB5CCNAME is inherit from the login node session
|
||||||
|
kinit -kt "$HOME/.k5/krb5.keytab" $USER@D.PSI.CH
|
||||||
|
aklog
|
||||||
|
klist
|
||||||
|
|
||||||
|
echo "Here should go my batch script code."
|
||||||
|
```
|
||||||
|
Loading…
x
Reference in New Issue
Block a user