Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upUserspace Container Review
Pages 24
- Home
- Arvados
- CancerCollaboratory
- Common Workflow Language != Kile TexStudio "completion word list"
- CWL Implementations
- cwl2script
- cwltool (reference implementation)
- Example workflow run provenance
- Existing CLI description languages
- Existing Workflow systems
- Fine Grained Software Citations Metadata
- Galaxy
- Getting started with CWL
- Native Pythonic generator for CWL processes (CLIs & workflows)
- Parallel Recipes
- Rabix
- Related ontologies
- Related standards
- Research Object Proposal
- SciDAP
- Taverna
- Toil
- Tool registries
- Userspace Container Review
- Show 9 more pages…
Clone this wiki locally
This is a review of possible distro-agnostic non-root solutions to workflow execution isolation.
The broad idea is to provide Docker-style isolation and reproducibility in places where:
- we have no way of becoming root, even to install packages or set up containers
- we don't have write access outside $HOME
- we don't run a given distro or kernel version
The main use case for this is on large HPC installations, often running old CentOS or similar, and with limited or no ability for users to install or request installation of new software.
Authors:
- @kdmurray91
- @mr-c
Update
The docker drop in replacements udocker and dx-docker now implement variations on the ideas outlined below and both are support via the CWL reference runner: https://github.com/common-workflow-language/cwltool#running-user-space-implementations-of-docker
Candidates:
PRoot
Proot is a userspace implementation of chroot and associated tools. It allows purely-userspace chroot-ing into a pre-build root dir, e.g. one created using fakeroot debootstrap.
There is also Heng Li's proot.pl, which wraps some parts of the process nicely (e.g. things like sanitizing PATH).
Fakechroot
And we go down the rabbit hole....
Fakechroot allows one to use chroot with fakeroot.
As a normal user one can do:
fakechroot fakeroot debootstrap sid /tmp/rootfs
psuedo
Docker image integration
It is possible to export a rootfs tarball from a running docker container. This is as "easy" as:
ID=$(docker run -idt diblab/khmer)
docker export ${ID} > khmer-docker.tar
docker kill ${ID}
docker rm -f ${ID}
mkdir khmer-docker
tar xf khmer-docker.tar -C khmer-docker
TODO: investigate if this kind of export is possible straight from an image, and ideally straight from something like the docker registry or quay.io. The OpenContainer format could be interesting in this regard also. But all we need is a tarball of the filesystem.
CWL Usage
The overall picture would involve a drop-in replacement for a dockerised tool container based upon userspace containers on systems where these are either forbidden, or impractical.
The aim is to run Docker-enabled tools and workflows in isolated environments without root (or docker), targeting HPC clusters.
Roadmap
- Trial
fakechrooton HPC Systems, document success and/or hacks required:-
raijin.nci.org.au: CentOS 6 PBS Pro Cluster -
edmund.anu.edu.au: Debian 8 SMP machine (single node)
-
- Trial Docker image -> rootfs tarball conversion, write script to perform this?
- Dockerfile -> build container on Debian -> rootfs??
- A rootfs registry?
- OpenContainer Initiative?
- pull straight from docker hub/registry/quay.io?
- Implement an orchestrator of the setup/run/teardown cycle for userspace containers, aiming at CWL feature parity with Docker.
- Determine optimal cluster-based CWL implementation for this behaviour, or write into spec as an optional extension?
Progress
Getting userspace containers working on ancient RHEL
It looks that proot is the best option across all systems. Fakeroot/fakechroot and friends have system dependencies and I coudn't get them working on RHEL 6.
What I got to work on raijin.nci.org.au (Running RHEL 6):
wget -O ~/bin/proot http://portable.proot.me/proot-x86_64
chmod +x ~/bin/proot
mkdir containers
cd containers
mkdir debian-sid
wget -O debian-sid-rootfs.tar.xz https://github.com/tianon/docker-brew-debian/raw/0a2d20ca8e26f7bf6a5cc3ce2727eb6cc1894ef9/unstable/rootfs.tar.xz
tar xf debian-sid-rootfs.tar.xz -C debian-sid
proot -S debian-sid
# now within container
apt-get update && apt-get upgrade && apt-get install vimGitter snippets
LUSTRE FS locking:
@kdmurray91 yeah. Just be aware that if localflock is in operation then software uses locking, assumes it's fully consistent - but you don't really have that (only consistent on each node). So always potential for weird behavior if a workflow uses same dirs/files from different nodes on a localflock FS. Various weird bugs in workflows related to non-deterministic clashes at the FS level, not due to the workflow or workflow engine.
@dctrud @kdmurray91 so in terms of CWL semantics, the tool is disallowed from modify anything other than the designated output directory ($PWD), the designated temporary directory ($TMPDIR) and the system temporary directory (/tmp)
The other thing worth noting is that proot -R/-S does some magic with binds that may include certain paths (e.g. $HOME) that shouldn't be bound for CWL purposes. It may be worth wrapping proot.
The links
The below are links of interest or possible interest. No guarantee of relevance or correctness.
- https://pypi.python.org/pypi/sandboxlib/0.3.1
- http://ivoire.dinauz.org/blog/post/2013/11/21/Pretending-to-be-root-inside-PRoot
- https://github.com/CodethinkLabs/sandboxlib
- https://unix.stackexchange.com/questions/6433/how-to-jail-a-process-without-being-root
- http://chdir.org/~nico/seccomp-nurse/
- http://fakeroot-ng.lingnu.com/index.php/Home_Page
- https://github.com/appc/spec/
- https://stackoverflow.com/questions/4249063/run-an-untrusted-c-program-in-a-sandbox-in-linux-that-prevents-it-from-opening-f
- https://git.gnome.org/browse/linux-user-chroot/tree/
- http://wiki.baserock.org/