I believe there are fundamental reasons why the grid/HTC community is
focussed on singularity and not podman, not just because singularity
came first. Currently podman has some significant limitations that
prevent it from being usable from the way we want to use it in grid/HTC
environments, which is I think the main reason why HTCondor does not and
cannot support it at this point. The limitations include:
1. It requires the use of a couple of setuid/setgid programs (that is,
newuidmap and newgidmap) in order to do anything, and every user id
has to be configured with an additional set of unique user ids that
they can use to simulate multiple users inside the container.
Perhaps there will be tools one day to make managing this reasonably
easy, but for now this is a significant issue we can't expect system
administrators to accept. I was told by one of the podman
developers that OCI requires having at least two user ids, one for
root and one for the unprivileged user. Singularity does not
require that.
2. It doesn't work well with the container in a read-only filesystem,
which means we can't easily distribute containers in CVMFS. I
think there were plans to support that sometime, but I haven't
seen it yet, and there's more issues with containers in CVMFS
(see reasons 3&4).
3. It requires the root filesystem to be writable, so it depends on
fuse-overlayfs. This is a performance impact for all file acceses
that I doubt will be acceptable to users when there's a solid
alternative (singularity) that does not require this overhead.
4. It assumes that it manages the containers; it does not make it easy
to run a container from an arbitrary path. There's supposed to be
a way to do it, the developer tried to help me to do it, but I tried
and ran into an error. He thought it was likely to do with the fact
that I wanted the process to start up as the unprivileged user
rather than as the fake root user which it is supposed to support
as an option (--userns=keep-id). At this point because of all the
other issues I gave up.
podman is designed as a docker replacement; it is not intended for the
same use cases that singularity is designed for. It would take
significant effort to make it fit the HTC use case where we want special
unprivileged users (pilot jobs) to run unprivileged but isolated jobs
from multiple other users.
I do not know for sure whether or not it would fit better into HPC use
cases. However, in my opinion one of the biggest reasons why
singularity took off so fast in HPC centers was the fact that it
supports a monolithic container image file that it mounts as a loopback
filesystem. This moves all the metadata operations for the tons of
small files to be done on the compute node rather than on the
filesystem's metadata server, which is a huge performance win. HPC
admins demonstrated superior performance with singularity than with
unpacked files on the shared filesystem for this reason. podman does
not support monolothic container images, it only supports unpacked
filesystems, and I think this feature alone will block it from being
accepted by HPC centers.
By the way, not coincidentally I think, CVMFS has the same key feature
as loopback-mounted container images of moving metadata operations to
the compute node and away from the file server. This is an important
reason (along with local caching) why it scales so well over long
distances.
Dave