singularity as OCI runtime without root privileges
38 views
Skip to first unread message
Rene Caspart
Nov 17, 2021, 5:27:33 AM11/17/21
to singularity
Hi all,
Thanks,
Rene
[1] https://slurm.schedmd.com/containers.html
this might already have been answered somewhere, but I was unable to find it.
As I guess some of you are aware, Slurm has recently added support for OCI compliant container runtimes to be invoked directly via Slurm if users specify it in the command line tools [1]. Looking at the documentation and examples, singularity stands out here, in that it requires root privileges as OCI runtime. For obvious reasons, this is a hard no-go for using it in this way for most, if not all, HPC systems.
I appreciate that the OCI runtime is most likely not a very high priority for singularity, but nonetheless, are there any plans for singularity to support being used as OCI runtime without requiring root privileges?
For us this would be a great possibility to have and I appreciate any input.
Thanks,
Rene
[1] https://slurm.schedmd.com/containers.html
Dave Dykstra
Nov 17, 2021, 1:31:41 PM11/17/21
to 'Rene Caspart' via singularity
Rene,
Singularity's support for direct OCI runtimes has had little interest
and development has stopped on it. Instead singularity converts OCI
containers (e.g. via pull docker://) to it's sandbox mode, which can
easily run unprivileged when unprivileged user namespaces are available.
Is there something where that's not good enough?
Last I heard full OCI compliance requires at least two user IDs, which
requires support from some elevated privilege program, typically
newuidmap/newgidmap. That's important when you're trying to simulate a
virtual machine environment the way docker does, but not very important
for typical HPC applications.
Furthermore, HPC system administrators typically *love* containers
coming in monolithic single files such as SIF format. That's because it
moves all the metadata operations off the shared fileservers onto the
compute nodes and so improves performance for typical applications which
are made up of tons of files. OCI doesn't have a monolithic file format.
Mounting of monolithic files still requires root privileges at this
point, although modern kernels allow them to be fuse-mounted unprivileged.
That's on the development roadmap.
Dave
> --
> You received this message because you are subscribed to the Google Groups "singularity" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to singularity...@lbl.gov.
> To view this discussion on the web visit https://groups.google.com/a/lbl.gov/d/msgid/singularity/c90e6c02-e18a-4345-a40c-4f14ce72b906n%40lbl.gov .
Singularity's support for direct OCI runtimes has had little interest
and development has stopped on it. Instead singularity converts OCI
containers (e.g. via pull docker://) to it's sandbox mode, which can
easily run unprivileged when unprivileged user namespaces are available.
Is there something where that's not good enough?
Last I heard full OCI compliance requires at least two user IDs, which
requires support from some elevated privilege program, typically
newuidmap/newgidmap. That's important when you're trying to simulate a
virtual machine environment the way docker does, but not very important
for typical HPC applications.
Furthermore, HPC system administrators typically *love* containers
coming in monolithic single files such as SIF format. That's because it
moves all the metadata operations off the shared fileservers onto the
compute nodes and so improves performance for typical applications which
are made up of tons of files. OCI doesn't have a monolithic file format.
Mounting of monolithic files still requires root privileges at this
point, although modern kernels allow them to be fuse-mounted unprivileged.
That's on the development roadmap.
Dave
> You received this message because you are subscribed to the Google Groups "singularity" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to singularity...@lbl.gov.
> To view this discussion on the web visit https://groups.google.com/a/lbl.gov/d/msgid/singularity/c90e6c02-e18a-4345-a40c-4f14ce72b906n%40lbl.gov .
Rene Caspart
Nov 18, 2021, 8:18:16 AM11/18/21
to singularity, Dave Dykstra
Hi Dave,
thanks a lot for the reply. I am well aware that one can run containers with singularity unprivileged and this works very well.
The main reason, why I raised this specific point is the direct support in slurm for OCI runtimes. This by no means is a crucial feature, but certainly one which would be very nice to have, as it might also help in convincing some more users to adapt to containers by lowering the entry hurdle a bit more (requiring only minimal changes to established workflows). This essentially goes in the same direction as the old SPANK plugin.
Best,
Rene
Reply all
Reply to author
Forward
0 new messages