Singularity and OpenStack

[Julien H.]

Hello guys,

We currently working at converting our HPC Cluster into a private OpenStack cloud for research. We heard about Singularity and we would like to study how benefit it'd be to deploy Singularity as an additional hypervisor instead of Docker.

However, i'm not sure we understand well the relationship between Singularity and OpenStack, and i've got some questions i'd like to ask to you :

• What is the main purpose of using Singularity over/instead of Docker ?
• Does the case I mentioned above make sense ?
• Does such a solution already exists ?

Thanks in advance,

Regards,

Julien Hubert

[Dave Godlove]

Hi Julien,

Sorry for the delay.  First off, I don't think that Singularity is going to work very well for you as a hypervisor running in an OpenStack environment.  Maybe somebody with more experience using OpenStack can comment, but this isn't really a use case for Singularity.  At least not at this time.  And to answer your 3rd question above, no I don't think such a solution exists yet.  But it would be an interesting thing to consider.  

As for your first question, there are a ton of reasons to favor Singularity over Docker in an HPC environment.  Here's a few in no particular order:

1)    Do you use GPUs?

With most container platforms you must install an NVIDIA driver directly into the container.  Since the NVIDIA driver on the host system installs kernel modules and the kernel is shared between the container and the host system, you must exactly match version numbers between the driver inside the container and the driver running on the host system.  This breaks the portability of the container.  With Singularity you don’t have to install an NVIDIA driver into your container.  Instead, you simply pass the --nv option at runtime and Singularity will automatically locate NVIDIA libraries and binaries on the host system and map them into your container.  This is an easy, portable solution. 

 

2)    Do you use MPI?

It is extremely difficult to set up a multi-node MPI job with a traditional container platform.  But Singularity solves this problem by allowing users to run MPI jobs using a “hybrid” model.  The model assumes that MPI will be installed on the host and within the container.  A user will invoke a containerized program using mpirun or a similar command.  Singularity is MPI aware and will set up new containers on all of the nodes within the MPI job.  Then it will facilitate communication between the MPI on the host system and the MPI within the container.  Often, it’s not even necessary to match the versions of MPI running on the host and within the container because there is some degree of compatibility between different MPI versions.

 

3)    Do a lot of non-root users utilize your HPC system?

Security is a huge concern with containers.  But many container platforms focus exclusively on security within the container.  In other words, how do you protect the contents of a container from a potentially hostile environment?  In a multitenant HPC environment, system administrators have the opposite concern.  How do you protect the HPC environment from a potentially malicious container?  Singularity has a novel security paradigm allowing untrusted users to run untrusted containers safely.  In a nutshell, Singularity prevents users from escalating privileges within the container.  If you don’t have root on the system, you can’t have root within the container.  Moreover, users have the same UID/GID context inside of the container as outside, allowing users to access data they own, and preventing them from accessing data that they don’t.  And unlike other container platforms, Singularity runs without any root-owned daemon processes, decreasing the potential attack surface.

 

4)    Do you use a batch scheduling system (like Slurm or PBS for instance)?

Traditional container platforms that launch containers with the aid of a background daemon process don’t work well with HPC batch schedulers.  The daemon allows the containers to launch outside of the scope of a resource manager.  In this state the batch scheduler can no longer track the resources consumed by the containerized process.  Singularity starts containers with the appropriate UID/GID context.  Once containerized processes are initiated, Singularity execs itself out of existence and the containerized processes are running on the system (within their namespaces) just like any other processes.  This architecture allows the resource manager to track utilization by the container and the batch scheduler to schedule other jobs accordingly.

 

5)    Do you use a parallel file system (like Lustre or GPFS for instance)?

Singularity can actually boost performance on parallel file systems over bare metal.  Parallel file systems can exhibit reduced performance when processes simultaneously open large numbers of small files.  Take Python as an example.  A single invocation of the Python interpreter may stat thousands of files.  If you are running an embarrassingly parallel Python job with thousands of simultaneous interpreters your file system will grind to a halt as it essentially sustains a DDoS attack.  Singularity containers are single image files which are mounted onto the host’s loop device.  When accessing data in this manner, the kernel is able to take advantage of built-in optimizations that reduce the number of meta-data operations necessary to run your Python job.  At large scale, this can result in file-system performance that is improved by several orders of magnitude.  This fact prompted admins at the SLAC National Accelerator Laboratory US ATLAS Computing center to containerize their entire software stack (~400 GB) using Singularity.

--
You received this message because you are subscribed to the Google Groups "singularity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to singularity+unsubscribe@lbl.gov.

[Gregory M. Kurtzer]

Hi Julien,

I'd like to to reiterate Dave's comments but also add, while Singularity isn't a great fit for that usage scenario right now, we too have been thinking about this as we have gotten similar feature requests to support OpenStack and Kubernetes/Kubeflow. For this reason, we have been moving more toward an OCI compatible model with the development of Singularity v3 as you can read about here:

https://www.sylabs.io/2018/03/singularity-oci-cloud-native-enterprise-performance-computing/

Most of our team and contributors are focused on traditional HPC and EPC architectures so if you (or anyone else) decides to investigate Singularity further for these sorts of architectures, please let us know, we'd love the help!

Thanks!

To unsubscribe from this group and stop receiving emails from it, send an email to singularity...@lbl.gov.

--
You received this message because you are subscribed to the Google Groups "singularity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to singularity+unsubscribe@lbl.gov.

--

Gregory M. Kurtzer

CEO, Sylabs Inc.

[Julien H.]

Hi Dave,

Thank you so much for your long response. Indeed, I have to say yes to all your questions.

I work at the high-performances computing center Romeo at the University of Reims and our supercomputer embeds two NVIDIA GPU per node. Also we use Slurm to provide our many end-users a way to enqueue their jobs using MPI most of the time.

The main reason for us to be interested by Singularity is that we will soon install a new supercomputer with this similar workflow and the old one will become a research Cloud for simplicity and flexibility provided by this solution. But we want to provide a non-exhaustive way to switch between Openstack and HPC environment for our users and so does Singularity by making containers flexible and reusable on any different machine with a similar architecture. The workflow would be awesome if OpenStack could support Singularity as an hypervisor : an user may continue to compute with the same image on the Cloud if he can’t submit his job within the HPC environment.

All your precisions are really hyping for such a solution !

[Julien H.]

Hi Gregory,

Thank you very much for your answer and your link, I will have a look at it ASAP.

Also, I watched your presentation at NVIDIA GTC and I have to say it was really fun !

I would be glad to contribute to the growing of Singularity, which sounds like a very interesting solution. I will let you know about our choice and any work regarding Singularity.

[John Hearns]

Dave, your reply with the 5 points is marvellous.  Really.

That should be written up as a FAQ on your webpage. 

Simple, clearly articulated writeups like that are invaluable when one is trying to justify implementing a technology like this to t' management.

[Rémy Dernat]

Hi Julien,

Maybe, in a near future, with the OCI compatibility for singularity, you will be able to use Singularity within k8s and/or nextflow. A good starting point is to take a look at Magnus which allow to create a k8s cluster within OpenStack : https://wiki.openstack.org/wiki/Magnum

Kind regards,

Rémy

PS : I will give a Singularity workshop at "ust4hpc" event. Arnaud from Romeo will be there; maybe we could talk a bit about that.

To unsubscribe from this group and stop receiving emails from it, send an email to singularity...@lbl.gov.

[Rémy Dernat]

[In fact, you can already launch your container with nextflow; So you can imagine using nextflow to launch a workflow to your HPC systems with slurm/singularity and/or to OpenStack/Magnum/k8s].

Rémy.

To unsubscribe from this group and stop receiving emails from it, send an email to singularity...@lbl.gov.