Locked History Actions

CronKerberos

Crontab on CS managed machines

This page describes how to run jobs from crontab on CS managed machines and from AFS home directories. The instructions are adopted from https://cs.stanford.edu/computing-guide/data-storage-sharing/afs/batch-and-cron-jobs.

Only CS managed machines

Please note that this will only work on CS managed machines, e.g. Hulk, Rocky.

1. Init your keytab

Run akcron to initialize your keytab file:

akcron -i

2. Test if you received the tokens

It is always good to see if we received the necessary tokens. Do it with the following command:

akcron -c tokens

Your output should be similar to this:

Tokens held by the Cache Manager:

User's (AFS ID 70223) tokens for afs@cs.stanford.edu [Expires Aug 23 19:19]
   --End of list--

If there is an error please let Andrej know about it.

3. Directory permissions

The command you ran on step 1 actually creates a new special user with the following name:

your_csid.cron

Since this is a new user, you need to grant it the rights to whatever directories your crontab script requires access to. Say I had a script called HulkCron.sh that was in the directory ~/HulkCron/. If I wanted to run that with ak cron I would set up my permissions like this:

fs setacl ~/ your_csid.cron read
fs setacl ~/HulkCron/ your_csid read

If my script is actually doing something useful and I want to save the output of that script to a file, I would define the ACLs for the ~/HulkCron/ directory like this:

fs setacl ~/HulkCron/ your_csid write

Listing permissions

I can check the permissions I have set like this:

fs listacl ~/HulkCron/

The output of the command could be similar to this:

Access list for /afs/cs.stanford.edu/u/akrevl/HulkCron/ is
Normal rights:
  system:administrators rlidwka
  akrevl rlidwka
  akrevl.cron rl

This means that user system and group administrators has rlidwka permission. Users akrevl and akrevl.cron also kave a rlidwka permission. That doesn't say much, so let's have a look at what those letters mean:

  • l is the lookup or list permission and gives user the permission to list files in the directory.

  • i is the insert permission that allows a user to create new files in the directory.

  • d is the delete permission and it allows a user to delete files from a directory.

  • a is the administer permission that allows the user to change ACLs for the directory.

  • r is the read permission and it allows the user to read a file.

  • w is the write permission and it allows the user to write data to a file.

  • k is the lock permission that allows the user to lock files in the directory.

Shorter commands

You can use the shorter form of commands in the fs utility. You can replace listacl with la, setacl with sa, etc.

Recursively setting permissions

It seems that there is no chmod -R command, but we can somehow manage with the rest of the GNU toolkit. Here is how we can set permissions on all the subdirectories of ~7z directory:

find ~/7z/ -type d -exec fs setacl {} akrevl.cron read \;

You may void your warranty

Bad things will happen if you this on recursively mounted filesystems. So make sure that you are only executing this in your own directories that do not contain links to any other filesystems.

Temporary files

Make sure that your permissions are correctly set also for the directories where the temporary files are stored. You might want to check if your new special user (your_csid.cron) has the necessary permissions on the local filesystem e.g. /tmp.

Special note for 7z users

7z might sometimes use temporary files. These are created in /tmp by default. You can override this with the -w switch, for example:

~/bin/7za a -w/afs/cs.stanford.edu/u/akrevl/HulkCron/ ~/HulkCron/ParadiseLost.7z ~/HulkCron/ParadiseLost.txt

Please note that -w does not understand the ~ shorthand for your home directory.

Also note that your_csid.cron will need access to the 7z binary and all the libraries associated with it.

4. Setup your crontab

Now you can set up your crontab as you normally would:

crontab -e

But make sure that you prefix your command/script with akcron and put it in some single quotes. For example:

0 3 * * * akcron -c '~/HulkCron/backupMyFiles.sh'