On 10/02/2012 02:12 PM, Orion Poplawski wrote:
/usr/share/gridengine/util/krb5sh - This is run by sge_execd as a wrapper
around the job. It sets KRB5CCNAME and cleans up the ticket file after the job
completes.
#!/bin/bash
# krb5sh - run as pag_cmd -c command
# Sets the Kerberos ticket cache name
export KRB5CCNAME=`mktemp /tmp/krb5cc_sge_XXXXXX`
chcon -t user_tmp_t $KRB5CCNAME
# Strip the exec so we can cleanup afterwards
${2/exec /}
rm $KRB5CCNAME
/usr/share/gridengine/util/set_token_cmd -
#!/bin/bash
# set_token_cmd - called with user name and seconds to extend ticket
base64 -d > $KRB5CCNAME
chown $1 $KRB5CCNAME
TODO
There is a coshepard process started which should call the set_token_cmd to
renew the ticket. It should then call kinit -R.
Apparently having the krb5sh wrapper stick around block signalling between
sge_execd and sge_shepherd. So I've now gone with:
#!/bin/bash
# krb5sh - run as pag_cmd -c command
# Sets the Kerberos ticket cache name
export KRB5CCNAME=`mktemp /tmp/krb5cc_sge_XXXXXX`
chcon -t user_tmp_t $KRB5CCNAME
${2}
And an epilog:
#!/bin/bash
# epilog - run at job exit
# Remove kerberos ticket
rm $KRB5CCNAME
I'm trying out this as the set_token_cmd:
#!/bin/bash
# set_token_cmd - called with user name and seconds to extend ticket
if [ ! -s $KRB5CCNAME ]
then
base64 -d > $KRB5CCNAME
fi
token=`cat $KRB5CCNAME`
[ "$token" != none ] && /usr/bin/kinit -R
chown $1 $KRB5CCNAME
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane [email protected]
Boulder, CO 80301 http://www.nwra.com
_______________________________________________
users mailing list
[email protected]
https://gridengine.org/mailman/listinfo/users
