Rene,
Singularity's support for direct OCI runtimes has had little interest
and development has stopped on it. Instead singularity converts OCI
containers (e.g. via pull docker://) to it's sandbox mode, which can
easily run unprivileged when unprivileged user namespaces are available.
Is there something where that's not good enough?
Last I heard full OCI compliance requires at least two user IDs, which
requires support from some elevated privilege program, typically
newuidmap/newgidmap. That's important when you're trying to simulate a
virtual machine environment the way docker does, but not very important
for typical HPC applications.
Furthermore, HPC system administrators typically *love* containers
coming in monolithic single files such as SIF format. That's because it
moves all the metadata operations off the shared fileservers onto the
compute nodes and so improves performance for typical applications which
are made up of tons of files. OCI doesn't have a monolithic file format.
Mounting of monolithic files still requires root privileges at this
point, although modern kernels allow them to be fuse-mounted unprivileged.
That's on the development roadmap.
Dave
> --
> You received this message because you are subscribed to the Google Groups "singularity" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
singularity...@lbl.gov.
> To view this discussion on the web visit
https://groups.google.com/a/lbl.gov/d/msgid/singularity/c90e6c02-e18a-4345-a40c-4f14ce72b906n%40lbl.gov .