AFS
From FarmShare
(→one user's experience) |
|||
Line 82: | Line 82: | ||
# screen | # screen | ||
# keeptoken | # keeptoken | ||
- | # paste whatever prints out. This will keep afs permissions for | + | # paste whatever prints out. This will keep afs permissions for up to 7 days (the maximum renewable lifetime of a Kerberos ticket in the Stanford realm) |
https://itservices.stanford.edu/?q=service/afs/learningmore/tokens | https://itservices.stanford.edu/?q=service/afs/learningmore/tokens |
Revision as of 12:54, 10 November 2013
Contents |
Links
- https://itservices.stanford.edu/service/afs/intro
- https://itservices.stanford.edu/service/kerberos/user_guide/how
- http://fnal.gov/docs/strongauth/user.html
automated status
You may want to add something like these lines to your .login (or the equivalent for your preferred shell)
echo " === === === Your Kerberos ticket and AFS token status: === === ===" klist -5 -f | grep -2 krbtgt | grep Flags | xargs echo 'Kerberos:' tokens | grep AFS | xargs -0 echo 'AFS: '
You'll get output like this is you don't have the right ticket/token:
=== === === Your Kerberos ticket and AFS token status: === === === klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_45787_8xDfEP) Kerberos: AFS:
You'll get output like this if you do have the right credentials:
=== === === Your Kerberos ticket and AFS token status: === === === Kerberos: renew until 01/27/12 15:11:17, Flags: FRIA AFS: User's (AFS ID 45787) tokens for afs@ir.stanford.edu [Expires Jan 21 16:11]
commands
To obtain and cache Kerberos ticket-granting ticket:
kinit
To list cached Kerberos tickets:
klist
Next, you'll want to ensure you have a valid AFS token.
To obtain tokens for authentication to AFS:
aklog
To display the issuer's tokens:
tokens
Then you can just submit jobs to the resource manager, and the jobs will be able to read/write to/from your AFS directories, assuming your kerberos ticket is renewable and forwardable.
To submit a batch job to Grid Engine:
echo "sleep 3600" | qsub
A simple, complete example:
ssh corn kinit aklog echo "sleep 3600" | qsub
Use "klist -f" and "tokens" for any troubleshooting.
grid engine integration
We use AUKS and if you have your renewable TGT and AFS tokens, they will get saved and applied to your job when it runs.
keeping your tokens for more than 24hrs
If you're using cardinal/corn, you should use "keeptoken" per https://itservices.stanford.edu/service/afs/learningmore/tokens
'keeptoken' uses the 'krenew' command, you can read the script directly, it's /usr/local/bin/keeptoken on any corn
If you're submitting a job to the barleys (from the corns) you should _not_ use keeptoken. The AUKS/SGE integration will handle the krenew/aklog process for you, but you should verify that you have renewable tickets and re-authenticate, if necessary, before submitting.
If you have have Kerberos credentials when you submit your job, the queuing system should:
- Store your credentials on a remote server at submission time - Renew those stored credentials while your job is waiting to run - Retrieve your credentials on the execution host before your job starts there - Renew your credentials on the execution host while the job is running
checking your quota
To check your AFS space quota, try
fs quota
or
/usr/bin/check-stanford-afs-quota
They output different formats. If you want to check your e-mail quota, you can log in to webmail and mouseover your name in the upper right corner. You can also look in the "Account status & storage quota" section of stanfordyou.stanford.edu
one user's experience
To keep your afs permissions you need to do the following
- pagsh
- kinit;aklog
- screen
- keeptoken
- paste whatever prints out. This will keep afs permissions for up to 7 days (the maximum renewable lifetime of a Kerberos ticket in the Stanford realm)
https://itservices.stanford.edu/?q=service/afs/learningmore/tokens