Presented By: Gregory M. Kurtzer HPC Systems Architect Lawrence Berkeley National Laboratory CONTAINERS IN HPC WITH SINGULARITY

Similar documents
Singularity: Containers for High-Performance Computing. Grigory Shamov Nov 21, 2017

CONTAINERIZING JOBS ON THE ACCRE CLUSTER WITH SINGULARITY

Singularity: container formats

Docker for HPC? Yes, Singularity! Josef Hrabal

Singularity Container Documentation. Release Admin Docs

SINGULARITY P1. Containers for Science, Reproducibility and Mobility

Singularity. Containers for Science

Introduction to Containers. Martin Čuma Center for High Performance Computing University of Utah

Docker Container Logging

Centre de Calcul de l Institut National de Physique Nucléaire et de Physique des Particules. Singularity overview. Vanessa HAMAR

Introduction to Containers

Singularity in CMS. Over a million containers served

Introduction to Containers. Martin Čuma Center for High Performance Computing University of Utah

CS 326: Operating Systems. Process Execution. Lecture 5

Shifter at CSCS Docker Containers for HPC

Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING

Singularity - Containers for Scientific Computing ZID Workshop. Innsbruck Nov 2018

Introduction to containers

containerization: more than the new virtualization

TECHNICAL BRIEF. Scheduling and Orchestration of Heterogeneous Docker-Based IT Landscapes. January 2017 Version 2.0 For Public Use

Chapter 1 - Introduction. September 8, 2016

LSST software stack and deployment on other architectures. William O Mullane for Andy Connolly with material from Owen Boberg

ECE 550D Fundamentals of Computer Systems and Engineering. Fall 2017

A Container On a Virtual Machine On an HPC? Presentation to HPC Advisory Council. Perth, July 31-Aug 01, 2017

LINUX OS FUNDAMENTALS FOR THE SQL ADMIN

Bash command shell language interpreter

Andrej Filipčič

SDK. About the Cisco SDK. Installing the SDK. Procedure. This chapter contains the following sections:

/ Cloud Computing. Recitation 5 September 27 th, 2016

Automatic Dependency Management for Scientific Applications on Clusters. Ben Tovar*, Nicholas Hazekamp, Nathaniel Kremer-Herman, Douglas Thain

Linux Command Line Interface. December 27, 2017

Engineering Robust Server Software

CS-580K/480K Advanced Topics in Cloud Computing. Container III

STATUS OF PLANS TO USE CONTAINERS IN THE WORLDWIDE LHC COMPUTING GRID

Basic UNIX commands. HORT Lab 2 Instructor: Kranthi Varala

Who is Docker and how he can help us? Heino Talvik

Systems Programming/ C and UNIX

Review of Fundamentals

Installing and Using Docker Toolbox for Mac OSX and Windows

Important DevOps Technologies (3+2+3days) for Deployment

Improving User Accounting and Isolation with Linux Kernel Features. Brian Bockelman Condor Week 2011

Linux OS Fundamentals for the SQL Admin. Anthony E. Nocentino

Guest Shell. Finding Feature Information. Information About Guest Shell. Guest Shell Overview

MPI History. MPI versions MPI-2 MPICH2

CS61 Scribe Notes Date: Topic: Fork, Advanced Virtual Memory. Scribes: Mitchel Cole Emily Lawton Jefferson Lee Wentao Xu

BEST PRACTICES FOR DOCKER

MPI versions. MPI History

SPPEXA TEACHLET: GETTING STARTED WITH L4RE CARSTEN WEINHOLD

Toward Improved Support for Loosely Coupled Large Scale Simulation Workflows. Swen Boehm Wael Elwasif Thomas Naughton, Geoffroy R.

Perl and R Scripting for Biologists

Chapter 2: Operating-System Structures

CSC- Bioweek 2018 Using cpouta for cloud computing Kimmo Mattila, Shubham Kapoor, Ari-Matti Saren (Jukka Nousiainen)

Singularity CRI User Documentation

3. Process Management in xv6

An introduction to checkpointing. for scientific applications

Chapter 2: Operating-System Structures. Operating System Concepts 9 th Edition

Chapter 2. Operating-System Structures

[Docker] Containerization

Quelling the Clamor for Containers. Vanessa Borcherding Director, Scientific Computing Unit Weill Cornell Medicine

Opportunities for container environments on Cray XC30 with GPU devices

Lab 6: OS Security for the Internet of Things

Shell Scripting. Todd Kelley CST8207 Todd Kelley 1

manifold Documentation

Singularity tests at CC-IN2P3 for Atlas

docker & HEP: containerization of applications for development, distribution and preservation

Containerizing GPU Applications with Docker for Scaling to the Cloud

Review of Fundamentals. Todd Kelley CST8207 Todd Kelley 1

Lab 6: OS Security for the Internet of Things

CS 111. Operating Systems Peter Reiher

BEST PRACTICES FOR DOCKER

The Classical OS Model in Unix

Travis Cardwell Technical Meeting

Linux OS Fundamentals for the SQL Admin. Anthony E. Nocentino

Linux Essentials. Smith, Roderick W. Table of Contents ISBN-13: Introduction xvii. Chapter 1 Selecting an Operating System 1

NVIDIA COLLECTIVE COMMUNICATION LIBRARY (NCCL)

Continuous integration & continuous delivery. COSC345 Software Engineering

Spring 2017 :: CSE 506. Introduction to. Virtual Machines. Nima Honarmand

Confinement (Running Untrusted Programs)

Investigating Containers for Future Services and User Application Support

Design Overview of the FreeBSD Kernel CIS 657

Design Overview of the FreeBSD Kernel. Organization of the Kernel. What Code is Machine Independent?

ReFrame: A Regression Testing Framework Enabling Continuous Integration of Large HPC Systems

CS 111. Operating Systems Peter Reiher

Table of Contents 1.1. Introduction. Overview of vsphere Integrated Containers 1.2

USING NGC WITH GOOGLE CLOUD PLATFORM

TNM093 Practical Data Visualization and Virtual Reality Laboratory Platform

Unix Processes. What is a Process?

Contents. Note: pay attention to where you are. Note: Plaintext version. Note: pay attention to where you are... 1 Note: Plaintext version...

Today. Operating System Evolution. CSCI 4061 Introduction to Operating Systems. Gen 1: Mono-programming ( ) OS Evolution Unix Overview

My operating system is old but I don't care : I'm using NIX! B.Bzeznik BUX meeting, Vilnius 22/03/2016

Getting started with the CEES Grid

LS-DYNA Installation Guide Windows and Linux

Building A Better Test Platform:

Allowing Users to Run Services at the OLCF with Kubernetes

VMware Fusion Tech Preview 2017: API/CLI Getting Started Guide

Immutable Application Containers Reproducibility of CAE-computations through Immutable Application Containers

OS Security III: Sandbox and SFI

SentinelOne Technical Brief

Install your scientific software stack easily with Spack

CHAPTER 2: SYSTEM STRUCTURES. By I-Chen Lin Textbook: Operating System Concepts 9th Ed.

Transcription:

Presented By: Gregory M. Kurtzer HPC Systems Architect Lawrence Berkeley National Laboratory gmkurtzer@lbl.gov CONTAINERS IN HPC WITH SINGULARITY

A QUICK REVIEW OF THE LANDSCAPE Many types of virtualization solutions in industry but we will focus on Hardware and Operating System virtualization (a.k.a. Containers ) Virtualization solutions generally focus on network services, isolation and resource efficiency Hardware virtualization has set the stage for the current understanding and usage models of containers (service virtualization, isolation, usage model, etc.) People have been discussing and talking about Docker in HPC, but it has yet to be implemented.

CONTAINER ARCHITECTURE Applications which run in a container run with the same distance to the host kernel and hardware as natively running applications. Generally the container daemon is a root owned daemon which will separate out all possible namespaces in order to achieve a fully emulated separation from host and other containers.

COMPARING TO VIRTUAL MACHINES As a comparison to Virtual Machines, applications running inside a VM are not only further away from the physical hardware but the layers they must traverse are redundant. Additionally there is a layer of emulation which contributes to a performance regression. Containers are thus more efficient.

CONTAINER LIMITATIONS Architecture compatibility: always limited to CPU architecture (e.g. x86/x86_64!= ARM) and binary format (ELF) - (you could add a level of hardware virtualization) Portability: containers in general are portable, but there are limitations Glibc / Kernel compatibility support Any other kernel / user land API compatibility (e.g. OFED) Bitrot: containers are subject to stagnation just as any operating system is Performance: there may be a slight theoretical performance penalty with utilizing kernel namespaces File paths: the file system is different inside the container than outside the container

WELCOME TO DOCKER Docker is the most commonly used solution when considering Linux containers today Docker provides tools, utilities, and wrappers to easily create, maintain and distribute container images The primary container use case is targeted for network service virtualization (where it has gained popularity very fast) Computational developers love Docker because they can easily create reproducible and portable images containing their work

SO WHY NOT JUST IMPLEMENT DOCKER ON HPC RESOURCES?

DOCKER IN HPC: THE PROBLEM Docker emulates a virtual machine in many aspects (e.g. users can escalate to root) Non-authorized users having root access to any of our production networks is considered a security breech To mitigate this security issue, networks must be isolated for Docker access and thus will preclude access to InfiniBand high performance networks and optimized storage platforms People then build a virtual cluster within a cluster trying to navigate a solution Additional complexities arise with existing scheduling architectures and workflows which greatly complicate usage models and/or system architecture (especially with parallel MPI job execution)

LET S RE-QUANTIFY THE NEED The need: Mobility of Compute Portable source code is so 1990 s, now-a-days it is easier to just distribute a virtual machine or laptop hard drive image Ease of development: Users and developers want to work in familiar environments that they control and then run that exact code, pipeline or stack anywhere It must be easily integratable with existing complicated shared infrastructures and scheduling subsystems It must not create or encourage additional exploit vectors or escalation pathways which could be used to compromise the integrity of the system

SINGULARITY: HELLO WORLD.

SINGULARITY Container technologies can be utilized to support Mobility of Compute and making workflows and applications portable Container images facilitates modification, distribution, and execution (e.g. OS X packages) With no direct means to obtain root/superuser within the container, there are no additional security risks thus separation between the container and the host can be blurred (makes efficient use of existing HPC resources, workflows and parallel MPI jobs) We don t have to virtualize everything, we can pick and choose on a case by case basis and thus blur the line between container and host No architectural or workflow changes are necessary to run Singularity containers

SINGULARITY: ARCHITECTURE The Singularity Launcher is run by the user, loads the Singularity container and executes applications as the user.

CONTAINERS IN HPC: SINGULARITY SINGULARITY: SUBCOMMANDS Here is a brief look at the Singularity subcommands and options. Each subcommand has additional help by running: $ singularity help

SINGULARITY: BOOTSTRAP DEFINITION The process of building a Singularity container is simple and makes use of standard included distribution tools (e.g. Apt and YUM) Two steps to build a container from scratch (bootstrapping): Create the image Bootstrap the container using a definition file note: These two steps maybe merged so that the image details can be part of the bootstrap definition

SINGULARITY: BOOTSTRAP DEFINITION EXAMPLE This example bootstrap definition defines the base functionality of this Singularity container, what will be installed and what to do when the container is run.

SINGULARITY: BUILDING THE CONTAINER Singularity utilizes a definition file to bootstrap a new container You can include packages, binaries, scripts, libraries, data, and configurations into the definition file Bootstrap command installs a minimal version of the distribution Containers can be much smaller then a bootable operating system The output of the build process is a Singularity container image which can be modified with changes persisted within the image in real time

SINGULARITY: BUILDING A CONTAINER EXAMPLE Once the container has been defined, create the image (default size is Snip 1024MB and is growable), then bootstrap using the given definition.

SINGULARITY: PERMISSIONS, ACCESS AND PRIVILEGE User contexts are always maintained when the container is launched (if it is launched by a user, it will always be that user) with no escalation pathway within the container! Thus. If you want to be root inside of the container, you must first be root outside of the container

SINGULARITY: LAUNCHING A CONTAINER When the Singularity container is launched, the namespaces are created and processes will be contained within the image By default the container image is accessed as read only Even when the container is mounted as read-write, root still maybe required to make changes (just like on any Linux system) All expected IO (this includes pipes, program arguments, stdout, stdin, stderr and X11) will all be passed directly through the container Home directory and other writable directories are automatically shared between the container and the host

SINGULARITY: CONTAINER EXAMPLE (1) Launching the container with the command shell spawns /bin/sh interactively. You can see, we are contained within the Image but also have access to the underlying home directory.

SINGULARITY: CONTAINER EXAMPLE (2) In this example, I demonstrate the use of the exec and run Singularity commands. I also compare the version output of the Centos-7.img created earlier as well as a Centos-6.img for comparison.

SINGULARITY: WORKFLOWS AND PIPELINES Using the RunScript bootstrap directive, you can have a container execute a custom pipeline or workflow You can easily obtain the arguments via the RunScript using standard shell syntax The runscript exists within the container at /singularity Programs within the container can access data that exists within the container or outside of the container Singularity containers are a portable and lightweight means to distribute these workflows

SINGULARITY: WORKFLOWS AND PIPELINES EXAMPLE Using a RunScript, we can easily take data from the command line and run it through a simple script to search /etc/services.

SINGULARITY: IMAGE MANAGEMENT Singularity does not separate the user Linux namespace To make changes that require root inside the container requires that you have root access outside the container You will also need to use the -w/ writable option to make the container writable (without this, not even root can make changes) Once inside the container, use the system as you would normally

SINGULARITY: IMAGE MANAGEMENT EXAMPLE This is an example of installing Python into a Debian base image. Notice root (via sudo) is used to launch Singularity as root, and thus we can get a root shell inside the container.

HPC - SINGULARITY AND OPEN MPI

SINGULARITY AND OPEN MPI Open MPI utilizes a parent/children relationship and communication pathway The parent MPI process (Orted) fork/execs the children processes Communication from parent to children occurs over the Process Management Interface (PMI) Singularity becomes the interface to exec the children Communication between the inside and outside of the container occurs over the PMI interface This architecture allows for optimal use of the hosts interconnect and storage So far there has been very little perceived performance penalty (but theoretically there maybe some due to Linux namespace overhead)

SINGULARITY AND OPEN MPI Starting with your Bash Shell or resource manager MPI run gets executed which forks an orted process Orted launches Singularity which starts the container process The MPI application within the container is linked to the Open MPI runtime libraries within the container The Open MPI runtime libraries then connect and communicate back to the Orted process via a universal PMI

SINGULARITY: INSTALLING AND RUNNING OPEN MPI FROM WITHIN A CONTAINER $ sudo singularity exec -w /tmp/centos-7.img yum \ groupinstall \ Development Tools\ $ git clone https://github.com/open-mpi/ompi.git $ cd ompi $ singularity exec /tmp/centos-7.img./configure \ prefix=/usr/local $ singularity exec /tmp/centos-7.img make $ sudo singularity exec -w /tmp/centos-7.img make install $ singularity exec /tmp/centos-7.img mpicc \ examples/ring_c.c -o ring $ sudo singularity copy /tmp/centos-7.img./ring /usr/bin $ mpirun -np 4 singularity exec /tmp/centos-7.img /usr/bin/ring

SINGULARITY: OPEN MPI? CONTAINER? WHAT JUST HAPPENED? Open MPI was downloaded, built and installed on both the host and then inside the container We compiled and launched the MPI Ring example using the host s mpirun and the container s libraries The overhead time penalty for creating and tearing down all of the containers was ~0.020s for the entire job note: Installation shortcuts were allowed only because the container was compatible with the host

SINGULARITY: THE ACTUAL OUTPUT Launching `mpirun` on the host runs the Orted process in the background and it then forks and exec s the given Singularity command. Singularity then exec s `./ring` which loads and communicates back to the parent Orted process on the host via PMI.

SHARED MEMORY LATENCY IN OPEN MPI This is an example shared memory latency graph comparing the same application in Singularity container (orange) and running directly on the host. 1800 1600 1400 1200 1000 800 You can see both are performing closely and only diverge on very large 600 400 200 messages. 0 0 500000 1000000 1500000 2000000 2500000 3000000 3500000 4000000 4500000

Presented By: Gregory M. Kurtzer HPC Systems Architect Lawrence Berkeley National Laboratory gmkurtzer@lbl.gov CONTAINERS IN HPC WITH SINGULARITY

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback