[GE users] SGE6.2 Compilation

Andreas Haupt andreas.haupt at desy.de
Tue Oct 21 07:52:10 BST 2008


Hi Ron,

we're actually not really using a K5 integration but just provide a K5
ticket and an AFS token for all jobs - and that's actually not Kerberos
style... A real integration should look somehow like this (this was
mentioned in Wolfgang Friebel's talk during the last SGE workshop in
Regensburg):

      * K5 authentication (i.e. requesting an sge service ticket) during
        job submission - you can fake this behaviour now by doing some
        checks in the "get_token_cmd" script
      * delegate the K5 ticket to the SGE master and "babysit" it there
        (i.e. periodically renew it) as long as the job is in waiting
        state
      * delegate the K5 ticket to the execution host once the job has
        started and optionally generate an AFS token out of it
        ("set_token_cmd")

I think this code has been written some time for SGE 5.3 and has never
been ported to SGE 6.x - it simply doesn't compile any more.

You can fake a K5 integration by using the "AFS integration scripts"
get_token_cmd and set_token_cmd. STDOUT of the get_token_cmd script will
be available on the execution host under $SGE_JOB_SPOOL_DIR/token.afs -
and can be a K5 TGT (but it needs to be addressless as it won't be
delegated). During set_token_cmd you will need to check whether the
client was cheating about the uid it submitted the job under.

All in all actually a generic solution is needed that might also
integrate e.g. Globus proxy certificates. But AFAIK such a framework is
not on the todo list as paying SGE customers (we don't ...) didn't
express their need for this.

Cheers,
Andreas

On Mon, 2008-10-20 at 22:11 -0700, Ron Chen wrote:
> Can you explain the problems related to the krb5 integration from Desy?
> 
>  -Ron
> 
> 
> --- On Sat, 10/18/08, Jean-Christophe Ducom <jc_ducom at nd.edu> wrote:
> > Any hope on the kerberos issue? :)
> > 
> > Thanks again for your help
> > 
> > JC
> > 
> > 
> > 
> > Jean-Christophe Ducom wrote:
> > > Rayson
> > >> Dod you remove the -Werror switch suggested by
> > Reuti??
> > > Sorry I forgot to mention that: Thanks Reuti. It
> > helped but the 
> > > compilation failed later still:
> > > # ./aimk -no-intl -no-java -no-jni
> > > [...]
> > > gcc -I../daemons/shepherd -O3 -Wall
> > -Wstrict-prototypes 
> > > -D__GRIDENGINE_FD_SETSIZE=8192 -DLINUX -DLINUXAMD64
> > -DLINUXAMD64_26 
> > > -D_GNU_SOURCE -DGETHOSTBYNAME_R6 -DGETHOSTBYADDR_R8 
> > -DLOAD_OPENSSL 
> > > -I/usr/include/ -DSGE_ARCH_STRING=lx26-amd64
> > -DTARGET_64BIT 
> > > -DSPOOLING_dynamic -DSECURE -I/usr/include
> > -Wno-strict-aliasing 
> > > -DNO_JNI -DCOMPILE_DC -D__SGE_NO_USERMAPPING__
> > -I../common -I../libs 
> > > -I../libs/uti -I../libs/juti -I../libs/gdi
> > -I../libs/japi 
> > > -I../libs/sgeobj -I../libs/cull -I../libs/rmon
> > -I../libs/comm 
> > > -I../libs/comm/lists -I../libs/sched -I../libs/evc
> > -I../libs/evm 
> > > -I../libs/mir -I../libs/lck -I../daemons/common
> > -I../daemons/qmaster 
> > > -I../daemons/execd -I../daemons/schedd
> > -I../clients/common -I. 
> > > -L/usr/lib/ -L. -rdynamic
> > -L/opt/sge_utils/src/gridengine/source 
> > > -Wl,-rpath,\$ORIGIN/../../lib/lx26-amd64
> > -L/usr/lib64 -o sge_shepherd 
> > > shepherd.o builtin_starter.o setrlimits.o
> > signal_queue.o 
> > > sge_shepconf.o setjoblimit.o sge_pset.o sge_fileio.o 
> > > sge_shepherd_ijs.o sge_ijs_comm.o sge_ijs_threads.o
> > config_file.o 
> > > err_trace.o execution_states.o qlogin_starter.o
> > setosjobid.o 
> > > sge_parse_num_par.o pdc.o procfs.o sge_mt_init.o
> > sge_processes_irix.o  
> > > -lgdi -lsgeobj -lsgeobjd  -lcull -lcomm_static
> > -lcommlists -luti  
> > > -llck -lrmon -ldl /usr/lib64/libssl.a
> > /usr/lib64/libcrypto.a  -lm 
> > > -lpthread
> > > /usr/lib64/libssl.a(kssl.o): In function
> > `get_rc_clockskew':
> > > (.text+0xce): undefined reference to
> > `krb5_rc_default'
> > > /usr/lib64/libssl.a(kssl.o): In function
> > `get_rc_clockskew':
> > > (.text+0xe0): undefined reference to
> > `krb5_rc_initialize'
> > > /usr/lib64/libssl.a(kssl.o): In function
> > `get_rc_clockskew':
> > > (.text+0x100): undefined reference to
> > `krb5_rc_get_lifespan'
> > > /usr/lib64/libssl.a(kssl.o): In function
> > `get_rc_clockskew':
> > > (.text+0x11e): undefined reference to
> > `krb5_rc_destroy'
> > > /usr/lib64/libssl.a(kssl.o): In function
> > `kssl_validate_times':
> > > (.text+0x14c): undefined reference to
> > `krb5_init_context'
> > > /usr/lib64/libssl.a(kssl.o): In function
> > `kssl_validate_times':
> > > (.text+0x169): undefined reference to
> > `krb5_timeofday'
> > > /usr/lib64/libssl.a(kssl.o): In function
> > `kssl_validate_times':
> > > (.text+0x195): undefined reference to
> > `krb5_free_context'
> > > /usr/lib64/libssl.a(kssl.o): In function
> > `kssl_tgt_is_available':
> > > (.text+0x279): undefined reference to
> > `krb5_init_context'
> > > /usr/lib64/libssl.a(kssl.o): In function
> > `kssl_tgt_is_available':
> > > (.text+0x296): undefined reference to
> > `krb5_free_principal'
> > > .....
> > >
> > >
> > >> And why not use the precompiled binaries??
> > > Kerberos...sigh...I know there is a working solution
> > from Desy people 
> > > (Wolfganfg Friebel and Andreas Haupt) but just like
> > they mention it's 
> > > not the optimal solution and they highly favor a
> > solution that does a 
> > > tight K5 integration. So I'm trying things from
> > sources...
> > >
> > > Thanks
> > > JC
> > >
> > >
> > >
> > >>
> > >>
> > >>
> > >> On 10/17/08, Jean-Christophe Ducom
> > <jc_ducom at nd.edu> wrote:
> > >>> All-
> > >>> Persevering with my previous post #26401, has
> > anybody been 
> > >>> successful to
> > >>> compile SGE6.2 from sources on an AMD64 system
> > running Linux (like 
> > >>> RedHat
> > >>> entreprise 5.2)?
> > >>> Thanks
> > >>> JC
> > >>>
> > >>>
> > ---------------------------------------------------------------------
> > >>> To unsubscribe, e-mail:
> > >>> users-unsubscribe at gridengine.sunsource.net
> > >>> For additional commands, e-mail:
> > >>> users-help at gridengine.sunsource.net
> > >>>
> > >>>
> > >>
> > >>
> > ---------------------------------------------------------------------
> > >> To unsubscribe, e-mail:
> > users-unsubscribe at gridengine.sunsource.net
> > >> For additional commands, e-mail:
> > users-help at gridengine.sunsource.net
> > >>
> > >>
> > >
> > >
> > 
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > users-unsubscribe at gridengine.sunsource.net
> > For additional commands, e-mail:
> > users-help at gridengine.sunsource.net
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
> For additional commands, e-mail: users-help at gridengine.sunsource.net
-- 
| Andreas Haupt             | E-Mail: andreas.haupt at desy.de
|  DESY Zeuthen             | WWW:    http://www-zeuthen.desy.de/~ahaupt
|  Platanenallee 6          | Phone:  +49/33762/7-7359
|  D-15738 Zeuthen          | Fax:    +49/33762/7-7216


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net




More information about the gridengine-users mailing list