rkt run front-end for unprivileged users
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
cmd Added per-alias environment blacklisting. Sep 4, 2017
doc Added per-alias environment blacklisting. Sep 4, 2017
examples Added per-alias environment blacklisting. Sep 4, 2017
.gitignore Vendor dependencies using dep. Oct 23, 2017
Gopkg.lock Vendor dependencies using dep. Oct 23, 2017
Gopkg.toml Vendor dependencies using dep. Oct 23, 2017
LICENSE Initial commit Apr 7, 2017
Makefile Support updated environment variables in rkt enter. Aug 29, 2017
README.md Added --prepare option for rkt-run, to prime the pump for worker pods. Jul 6, 2017
await-path.go Leave handling of SIGINT to child process. Jul 5, 2017
command.go Fixed bug - rkt-run-slave should be run without stdio. Oct 23, 2017
config.go Added per-alias environment blacklisting. Sep 4, 2017
distribution.go Fixed bug in finding docker non-default pod to enter. Jul 27, 2017
environ.go Added per-alias environment blacklisting. Sep 4, 2017
fragments.go Added per-alias environment blacklisting. Sep 4, 2017
paths.go rktrunner-gc: remove spurious pod lockdirs. Aug 29, 2017
rkt-list.go rktrunner-gc: added --grace-period Jul 6, 2017
rktrunner.spec Vendor dependencies using dep. Oct 23, 2017
runner.go Fixed bug - rkt-run-slave should be run without stdio. Oct 23, 2017
waiter.go Leave handling of SIGINT to child process. Jul 5, 2017
warn.go Only emit worker warnings in verbose mode. Aug 28, 2017
worker.go rktrunner-gc: remove spurious pod lockdirs. Aug 29, 2017

README.md

rkt-run

This package provides the rkt-run command, which is intended to be installed setuid root, to enabled unprivileged users to run containers using rkt, in a controlled fashion.

There are also rkt-run-helper and rkt-run-slave commands - see below.

rkt-run provides the following features:

  • enable unprivileged users to run rkt

  • enable concurrent use of pods

  • preservation of working directory of host within container

The system-wide configuration enables the system administrator to control the following aspects of the rkt run command line:

  • aliases for images and their executables

  • volumes to be mounted

  • automatic prefix re-writing of image names

  • general, run, and image options

Basic Usage

All rkt run options are controlled by the config file, /etc/rktrunner.toml, which should be carefully setup by the local sysadmin.

Example use:

$ rkt-run -i -v qiime_

The -v option prints the full rkt run command which is being run, as follows:

# /usr/bin/rkt --insecure-options=image run --interactive --net=host --set-env=HOME=/home/guestsi --volume volume-config,kind=empty,uid=511,gid=511 --volume volume-data,kind=empty,uid=511,gid=511 --volume home,kind=host,source=/home/guestsi quay.io/biocontainers/qiime:1.9.1--py27_0 --mount volume=home,target=/home/guestsi --user=511 --group=511 --exec sh

Note that the options are taken from the config file, which in this case looks like this:

rkt = "/usr/bin/rkt"
default-interactive-cmd = "sh"

[options]
general = ["--insecure-options=image"]
run = ["--net=host", "--set-env=HOME=/home/{{.Username}}"]
image = ["--user={{.Uid}}", "--group={{.Gid}}"]

[volume.home]
volume = "kind=host,source={{.HomeDir}}"
mount = "target=/home/{{.Username}}"

[volume.volume-config]
volume = "kind=empty,uid={{.Uid}},gid={{.Gid}}"

[volume.volume-data]
volume = "kind=empty,uid={{.Uid}},gid={{.Gid}}"

[alias.qiime_]
image = "quay.io/biocontainers/qiime:1.9.1--py27_0"

For further information, see the manpages for rkt-run and rktrunner.toml

Concurrent use of pods

The configuration option worker-pods may be used to enable concurrent use of pods. This is an optimisation, useful when large numbers of concurrent application processes are required. For each user and image, a single pod may be shared across all the application instances, by means of rkt enter.

When using worker-pods, it is important to remove idle workers using rktrunner-gc, which should be run regularly as root.

Before starting many application instances in parallel, it is necessary to prime the pump, that is, create an initial worker. This may easily be done using rkt-run --prepare, which simply creates a worker for the image in question, and exits without running the application.

Note that this feature is unlikely to be useful without the following rkt issues being addressed.

These are expected to be fixed in rkt 1.28.0.

rkt-run-helper

rkt-run-helper is a simple wrapper, which invokes rkt-run passing as first argument the name it was invoked with, along with all the other arguments.

The intended use is to have a directory on the system containing links to rkt-run-helper, with names ruby, julia, etc. Then, if this directory is on the path, scripts starting with the standard shebang line as below will use rkt-run to run the containerized interpreter. This relies on aliases for these programs being defined in rktrunner.toml.

#!/usr/bin/env ruby
puts 'Hello World from Ruby version ' + RUBY_VERSION

rkt-run-slave

rkt-run-slave is another wrapper, which runs within the container. It optionally changes to the working directory as on the host.