Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] dirty AFS hook stuff?
- Date: Mon, 11 Nov 2013 15:12:59 -0500
- From: Rich Pieri <ratinox@xxxxxxx>
- Subject: Re: [HTCondor-users] dirty AFS hook stuff?
Zachary Miller wrote:
> In the submit file (exact path may vary, look at $KRB5CCNAME)
>
> transfer_input_files = /var/adm/krb5/tmp/tkt/krb5cc_24842_X7me3D
> encrypt_input_files = krb5cc_24842_X7me3D
This is the piece that I was missing, a not insecure means of forwarding
Kerberos tickets to jobs. It's still not particularly friendly. If a
ticket expires then jobs will start failing when their associated AFS
tokens expire. Even when jobs are coded to renew tickets they'll still
fail when the absolute lifetime is reached (no more renewals). You might
get away with this at a facility like Fermilab where the absolute
lifetime is 7 days. In my Realm? It's 24 hours.
If it weren't obvious by now, I use AFS and Kerberos.
LDAP for directory data (login names, real names, home directories and
so forth).
Kerberos for user and service authentication.
AFS for home directories. I also use it to deploy locally compiled
versions of software that needs to be available across the entire Cell.
Note: we are independent from Athena. I don't use their Realm or Cell
and they don't use mine.
Several large NFS file servers for bulk data storage. Different research
groups have their own separate servers.
Users' workstations and desktops are submit and execute nodes. Each has
a 20GB or larger data volume exported to the LAN. Each user gets a
directory on the local partition for staging submissions.
Several large compute nodes are configured with similar NFS data volumes
with user directories created on request.
NFS volumes are attached via the NFS automounter. NFS traffic is
constrained to the LAN via iptables rules on each member of the pool.
I doubt that changing how Condor handles AFS tokens would be worthwhile
to us. My users are comfortable with this arrangement: it works, it's
easy to use, and they've been using it for many years. Having to
Kerberize their submissions would disrupt their work. Some of the
software that they use can't be Kerberized.
--
Rich Pieri <ratinox@xxxxxxx>
MIT Laboratory for Nuclear Science