Singularity in CMS. Over a million containers served

Similar documents
STATUS OF PLANS TO USE CONTAINERS IN THE WORLDWIDE LHC COMPUTING GRID

Singularity tests at CC-IN2P3 for Atlas

Opportunities for container environments on Cray XC30 with GPU devices

Singularity tests. ADC TIM at CERN 21 Sep E. Vamvakopoulos

Centre de Calcul de l Institut National de Physique Nucléaire et de Physique des Particules. Singularity overview. Vanessa HAMAR

Andrej Filipčič

What s new in HTCondor? What s coming? HTCondor Week 2018 Madison, WI -- May 22, 2018

Presented By: Gregory M. Kurtzer HPC Systems Architect Lawrence Berkeley National Laboratory CONTAINERS IN HPC WITH SINGULARITY

glideinwms architecture by Igor Sfiligoi, Jeff Dost (UCSD)

CERN: LSF and HTCondor Batch Services

glideinwms Training Glidein Internals How they work and why by Igor Sfiligoi, Jeff Dost (UCSD) glideinwms Training Glidein internals 1

Global Software Distribution with CernVM-FS

Singularity: Containers for High-Performance Computing. Grigory Shamov Nov 21, 2017

WLCG Lightweight Sites

Geant4 on Azure using Docker containers

Containerized Cloud Scheduling Environment

HTCondor Week 2015: Implementing an HTCondor service at CERN

LHCb experience running jobs in virtual machines

Introduction to SciTokens

CernVM-FS beyond LHC computing

Automatic Dependency Management for Scientific Applications on Clusters. Ben Tovar*, Nicholas Hazekamp, Nathaniel Kremer-Herman, Douglas Thain

Improving User Accounting and Isolation with Linux Kernel Features. Brian Bockelman Condor Week 2011

Look What I Can Do: Unorthodox Uses of HTCondor in the Open Science Grid

The PanDA System in the ATLAS Experiment

RADU POPESCU IMPROVING THE WRITE SCALABILITY OF THE CERNVM FILE SYSTEM WITH ERLANG/OTP

CernVM-FS. Catalin Condurache STFC RAL UK

Scientific Computing on Emerging Infrastructures. using HTCondor

Introducing the HTCondor-CE

One Pool To Rule Them All The CMS HTCondor/glideinWMS Global Pool. D. Mason for CMS Software & Computing

VC3. Virtual Clusters for Community Computation. DOE NGNS PI Meeting September 27-28, 2017

HTCondor: Virtualization (without Virtual Machines)

DIRAC pilot framework and the DIRAC Workload Management System

Flying HTCondor at 100gbps Over the Golden State

Using Puppet to contextualize computing resources for ATLAS analysis on Google Compute Engine

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

A Virtual Comet. HTCondor Week 2017 May Edgar Fajardo On behalf of OSG Software and Technology

Process Time. Steven M. Bellovin January 25,

Installation of CMSSW in the Grid DESY Computing Seminar May 17th, 2010 Wolf Behrenhoff, Christoph Wissing

HTCondor on Titan. Wisconsin IceCube Particle Astrophysics Center. Vladimir Brik. HTCondor Week May 2018

RESEARCH DATA DEPOT AT PURDUE UNIVERSITY

Building a Secure Data Environment. Maureen Dougherty Center for High-Performance Computing University of Southern California

Introduction to Distributed HTC and overlay systems

Infrastructure at your Service. Oracle over Docker. Oracle over Docker

The ATLAS PanDA Pilot in Operation

CONTAINERIZING JOBS ON THE ACCRE CLUSTER WITH SINGULARITY

Compute Node Linux (CNL) The Evolution of a Compute OS

Singularity: container formats

Red Hat Atomic Details Dockah, Dockah, Dockah! Containerization as a shift of paradigm for the GNU/Linux OS

Backpacking with Code: Software Portability for DHTC Wednesday morning, 9:00 am Christina Koch Research Computing Facilitator

The SciTokens Authorization Model: JSON Web Tokens & OAuth

Installation and Maintenance Instructions for SAS 9.2 Installation Kit for Basic DVD Installations on z/os

Evolution of the ATLAS PanDA Workload Management System for Exascale Computational Science

Important DevOps Technologies (3+2+3days) for Deployment

[Docker] Containerization

Getting Started With Containers

glideinwms experience with glexec

Shifter at CSCS Docker Containers for HPC

Secure Software Programming and Vulnerability Analysis

Outline. ASP 2012 Grid School

A Container On a Virtual Machine On an HPC? Presentation to HPC Advisory Council. Perth, July 31-Aug 01, 2017

BEST PRACTICES FOR DOCKER

Tasktop Sync - Installation Primer. Tasktop Sync - Installation Primer

Containers. Pablo F. Ordóñez. October 18, 2018

Introduction to Containers

A curated Domain centric shared Docker registry linked to the Galaxy toolshed

Who is Docker and how he can help us? Heino Talvik

TRAINING AND CERTIFICATION UPDATE

Developing and Testing Java Microservices on Docker. Todd Fasullo Dir. Engineering

An introduction to checkpointing. for scientific applications

USING DOCKER FOR MXCUBE DEVELOPMENT AT MAX IV

Facilitating Collaborative Analysis in SWAN

Data Security and Privacy. Unix Discretionary Access Control

A Hands on Introduction to Docker

Investigating Containers for Future Services and User Application Support

Data services for LHC computing

Interfacing HTCondor-CE with OpenStack: technical questions

PROCESS MANAGEMENT. Operating Systems 2015 Spring by Euiseong Seo

1Z Oracle Linux Fundamentals (Oracle Partner Network) Exam Summary Syllabus Questions

Scheduling Computational and Storage Resources on the NRP

HIGH ENERGY PHYSICS ON THE OSG. Brian Bockelman CCL Workshop, 2016

ATLAS TDAQ System Administration: Master of Puppets

Linux Virtual Machine (VM) Provisioning on the Hyper-V Platform

CLUSTERING HIVEMQ. Building highly available, horizontally scalable MQTT Broker Clusters

OS Virtualization. Linux Containers (LXC)

Manual Shell Script Bash If File Exists And Is Not Empty

IBM Bluemix compute capabilities IBM Corporation

LINUX CONTAINERS. Where Enterprise Meets Embedded Operating Environments WHEN IT MATTERS, IT RUNS ON WIND RIVER

Midterm Presentation Schedule

glideinwms: Quick Facts

Installing and Using Docker Toolbox for Mac OSX and Windows

INSTALLING INSTALLING INSTALLING

Chapter 2. Operating-System Structures

Secure Architecture Principles

Process Scheduling with Job Scheduler

docker & HEP: containerization of applications for development, distribution and preservation

Docker All The Things

Docker for HPC? Yes, Singularity! Josef Hrabal

CS370 Operating Systems

What are some common categories of system calls? What are common ways of structuring an OS? What are the principles behind OS design and

Shooting for the sky: Testing the limits of condor. HTCondor Week May 2015 Edgar Fajardo On behalf of OSG Software and Technology

Transcription:

Singularity in CMS Over a million containers served

Introduction The topic of containers is broad - and this is a 15 minute talk! I m filtering out a lot of relevant details, particularly why we are using Singularity and e.g., not Docker. Feel free to grab me after this session for in-depth details. I m also taking the CMS-centric view, even though work was done by many organizations.

What problems are we solving? Simple isolation: Protect pilot from payloads and payloads from each other. Specifically: File isolation: pilot determines what files the payloads can read and write. Process isolation: payload can only interact with (see, signal, trace) its own processes. There are other kinds of isolation (e.g., resource management, kernel isolation, network isolation) that are useful but not required. glexec replacement: Retire our particularly problematic current solution to isolation. Homogeneous / portable OS environments: Make user OS environment as minimal and identical as possible

What is Singularity? Singularity is a container solution tailored for the HPC use case. It allows for a portable of OS runtime environments. It can provide isolation needed by CMS. Simple isolation: Singularity does not do resource management (i.e., limiting memory use), leaving that to the batch system. Operations: No daemons, no UID switching; no edits to config file needed. Install RPM and done. http://singularity.lbl.gov Goal: User has no additional privileges by being inside container. E.g., disables all setuid binaries inside the container.

Who is in a container? Three options when using containers: A: Batch system starts pilot inside a container. B: Pilot starts each payload inside its own container. C: Combine A and B. Option A does not meet our isolation goals. Option B does. It is important to allow sites to do their container work: must keep option C viable! Option A: Site Batch System Container Pilot Payload Payload Option B: Site Batch System Pilot Container Container Payload Payload

Site Batch System View From the Worker Node Pilot Singularity User Payload

Singularity and CMS Singularity meets the CMS needs for isolation! WLCG Isolation and Traceability Task Force adopted it as the replacement technology for glexec. It also solves a sticky problem for CMS: provides a portable OS environment. CMS cannot run its RHEL6 binaries inside a RHEL7 environment. Hence, CMS cannot transition to RHEL7 using our traditional techniques. Using container technologies means the payload can run in an arbitrary OS environment, different from the pilot. In fact, the pilot could start 8 payloads inside 8 different Linux distributions if it wanted. CMS policy, starting April 1: Sites may provide a RHEL7 environment to the pilot only if they also provide singularity. Otherwise, CMS may be unable to utilize the site. Alternate - decide on OS environment at pilot launch - is not desirable as it partitions the pool.

Singularity Integration To use Singularity, we need a few things. Available at sites: Given it is popular at many HPC centers, several OSG sites already had it installed. Available from EPEL, but EPEL version is too old for our use. In ~ November, got permission from OSG Security to ship it in OSG Upcoming repository. Done as of January 2017. Long-term goal remains to utilize version from EPEL. Integrate with pilot infrastructure: HTCondor can invoke Singularity directly or Singularity can be integrated into the wrapper script. Since there is no separate daemon or UID switching, no code needs to be changed besides job startup! For OSG & CMS, this was about 400 lines of bash.

Example Invocation singularity exec --home $PWD:/srv \ --bind $PWD:/srv \ --bind /cvmfs \ --pwd /srv \ --scratch /var/tmp \ --scratch /tmp \ --containall \ /cvmfs/singularity.opensciencegrid.org/bbockelm/cms:rhel6 \ /srv/.osgvo-user-job-wrapper.sh $CMD From: https://github.com/jamesletts/cmsglideinwmsvalidation/blob/master/singularity_wrapper.sh

Portable OS environment How do we deliver an OS environment to CMS pilots? Singularity has its own image creation utilities or can convert Docker images. Given the immense ecosystem of Docker images and tooling, we have chosen the latter approach. Traditionally, Singularity images are a single file. These get large: simple LIGO image might be about 4GB. Singularity can also just read from a directory. What tool would CMS use to distribute a directory of software across the global infrastructure? CVMFS CVMFS also provides per-file caching and file-level de-duplication. To launch python only requires downloading 3MB of data from a 3GB image. CVMFS also provides efficient cache management.

Inside the CMS container Inside the container, we have: User payload processes, running (real UID) as the pilot user. A full copy of the base RHEL6 (or 7!) OS, served from CVMFS. By default, everything is read-only. Generate basic passwd, group, and resolv.conf so user environment is relatively sane. User working directory is bind-mounted to /srv. $HOME is set to /srv. CVMFS and any POSIX storage elements are also a bind-mount inside the container. User environment is updated to correct any changed file paths. Pilot can select other files to copy or bind-mount inside container.

BYOC For CMS, we currently post the image to Docker Hub. OSG maintains a list of images to synchronize (https://github.com/ opensciencegrid/cvmfs-singularity-sync/blob/master/ docker_images.txt). Users can send in PRs and get their image approved. Once approved, a docker push to update the container should be reflected in CVMFS in about an hour. Look in /cvmfs/singularity.opensciencegrid.org. Not a CMS-specific: any OSG user can request a new image. Currently, only 2 of 36 images are from CMS.

Status on OSG Currently, about 15 OSG sites provide Singularity in their runtime environment. Wider US deploy than glexec. Worldwide, there are more - including a testbed at CERN. OSG and CMS VOs have integrated Singularity support into their glideinwms setup. CMS is in testing; OSG is in production. Much of the activity has occurred in the last few weeks. In early February, about 5% of the OSG pool supported Singularity. Currently, consistently 40-60% of the OSG pool. Learn more from the user support pages: http://bit.ly/2mqt0ds

Conclusions Singularity meets an important CMS need; CMS testing is fairly advanced. Sites may be able to decommission glexec as soon as April 1. Delivers a compelling feature set beyond LHC. Both isolation and portable user environments. Over 2 million OSG VO jobs have been run in containers! Young rollout: up to 350k containers / day. Started at 1k containers / day in early February. Many miles yet to run, but appears to be a productive path.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback