Thanks, Mark, are there also any AFS-specific SGE config variable that
you set?
E.g. in the installer script, I see:
812 if [ "$AFS" = true ]; then
813 $ECHO "set_token_cmd /path_to_token_cmd/set_token_cmd"
814 $ECHO "pag_cmd /usr/afsws/bin/pagsh"
815 $ECHO "token_extend_time 24:0:0"
https://arc.liv.ac.uk/trac/SGE/browser/sge/source/dist/util/install_modules/inst_qmaster.sh#L812
Or else how does GE know to use those scripts?
Regards,
Alex
On 10/01/2011 05:15 AM, Mark Suhovecky wrote:
Alex-
We use Kerberos 5 and OpenAFS 1.4.14 with RHEL 5.5 and GE 6.2u5p2. Here are the
pag, get_token_cmd, and set_token_cmd scripts we use:
cat pag
#!/bin/sh
export KRB5CCNAME=FILE:$PWD/token.afs
exec /usr/bin/pagsh -c "$2"
cat get_token_cmd
#!/bin/bash
cat `echo $KRB5CCNAME | cut -f 2 -d :` | /usr/bin/base64
cat set_token_cmd
#!/bin/bash
ticketname=$PWD/ticket.encoded
touch $ticketname
chmod 600 $ticketname
while read line
do
echo $line>> $ticketname
done
#KRB5CCNAME is set by $SGEROOT/util/pag script
cat $ticketname | /usr/bin/base64 -d --ignore-garbage> `echo $KRB5CCNAME | cut
-f 2 -d :`
rm $ticketname
#Get token and change permissions to SGE_USER ($1), and campus group (1313)
aklog
chmod 600 `echo $KRB5CCNAME | cut -f 2 -d :`
chown $1:1313 `echo $KRB5CCNAME | cut -f 2 -d :`
We've had these in place for almost 3 years, and they work.
You need an AFS token lifetime that's longer than a job's maximum lifetime +
the length of time a job may be queued- if
not, it's possible for a running job's token to expire. If that happens, you'll
get an SGE error about 'AFS zero token length'
when the job tries to access a file in AFS.
I didn't write these, but I can try to answer any questions you might have.
Good Luck,
Mark
Mark Suhovecky
HPC System Administrator
Center for Research Computing
University of Notre Dame
[email protected]
________________________________________
From: [email protected] [[email protected]] On Behalf Of
Alex Chekholko [[email protected]]
Sent: Friday, September 30, 2011 5:33 PM
To: [email protected]
Subject: [gridengine users] current status of Kerberos support (and maybe
AFS)?
Hey all,
I'm a somewhat experienced GE admin trying to get Grid Engine up and
running on some systems that have Kerberos and AFS but not SSH pubkey
auth or SSH password auth.
Regular users have an AFS global homedir.
Where can I look for the status of Kerberos and/or AFS support in
current versions of GE?
I'm using the Debian Squeeze packages, but I can switch to a custom
install from any current fork.
This link seems most promising, but more complicated than I like:
http://markmail.org/message/3vakrcunuyyw5euf
Anyone have an opinion about whether the scripts in the link above will
work with modern GE 6.2u5+?
Regards,
--
Alex Chekholko [email protected]
_______________________________________________
users mailing list
[email protected]
https://gridengine.org/mailman/listinfo/users
