State of Containers. Convergence of Big Data, AI and HPC

Similar documents
High Performance Containers. Convergence of Hyperscale, Big Data and Big Compute

Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING

STATUS OF PLANS TO USE CONTAINERS IN THE WORLDWIDE LHC COMPUTING GRID

Shifter at CSCS Docker Containers for HPC

How Container Runtimes matter in Kubernetes?

How to build and run OCI containers

Think Small to Scale Big

[Docker] Containerization

Deploy containers on your cluster - A proof of concept

Dockerized Tizen Platform

The new Docker networking put into action to spin up a SLURM cluster

THE ROUTE TO ROOTLESS

LINUX CONTAINERS. Where Enterprise Meets Embedded Operating Environments WHEN IT MATTERS, IT RUNS ON WIND RIVER

BEST PRACTICES FOR DOCKER

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

Opportunities for container environments on Cray XC30 with GPU devices

Linux Containers Roadmap Red Hat Enterprise Linux 7 RC. Bhavna Sarathy Senior Technology Product Manager, Red Hat

Running MarkLogic in Containers (Both Docker and Kubernetes)

Shifter: Fast and consistent HPC workflows using containers

BEST PRACTICES FOR DOCKER

Docker und IBM Digital Experience in Docker Container

TEN LAYERS OF CONTAINER SECURITY

Container Pods with Docker Compose in Apache Mesos

An introduction to Docker

Engineering Robust Server Software

S INSIDE NVIDIA GPU CLOUD DEEP LEARNING FRAMEWORK CONTAINERS

Important DevOps Technologies (3+2+3days) for Deployment

Run containerized applications from pre-existing images stored in a centralized registry

CNA1699BU Running Docker on your Existing Infrastructure with vsphere Integrated Containers Martijn Baecke Patrick Daigle VMworld 2017 Content: Not fo

Container Security and new container technologies. Dan

Introduction to containers

Immutable Application Containers Reproducibility of CAE-computations through Immutable Application Containers

Kata Containers The way to run virtualized containers. Sebastien Boeuf, Linux Software Engineer Intel Corporation

VMworld 2017 Content: Not for publication #CNA1699BE CONFIDENTIAL 2

ISLET: Jon Schipp, AIDE jonschipp.com. An Attempt to Improve Linux-based Software Training

Container-based virtualization: Docker

Introduction to Container Technology. Patrick Ladd Technical Account Manager April 13, 2016

Securing Containers on the High Seas. Jack OWASP Belgium September 2018

Buenos Aires 31 de Octubre de 2018

The Post-Cloud. Where Google, DevOps, and Docker Converge

Replacing Docker With Podman. By Dan

CS-580K/480K Advanced Topics in Cloud Computing. Container III

Container Networking and Openstack. Fernando Sanchez Fawad Khaliq March, 2016

containerization: more than the new virtualization

RDMA Container Support. Liran Liss Mellanox Technologies

SAINT LOUIS JAVA USER GROUP MAY 2014

Docker Security. Mika Vatanen

DevOps Workflow. From 0 to kube in 60 min. Christian Kniep, v Technical Account Manager, Docker Inc.

Presented By: Gregory M. Kurtzer HPC Systems Architect Lawrence Berkeley National Laboratory CONTAINERS IN HPC WITH SINGULARITY

OS Virtualization. Linux Containers (LXC)

Docker 101 Workshop. Eric Smalling - Solution Architect, Docker

Kuber-what?! Learn about Kubernetes

THE STATE OF CONTAINERS

OCI Runtime Tools for Container Standardization

TEN LAYERS OF CONTAINER SECURITY

Docker and Security. September 28, 2017 VASCAN Michael Irwin

Cloud & container monitoring , Lars Michelsen Check_MK Conference #4

What s Up Docker. Presented by Robert Sordillo Avada Software

Red Hat Atomic Details Dockah, Dockah, Dockah! Containerization as a shift of paradigm for the GNU/Linux OS

THE AFS NAMESPACE AND CONTAINERS

Going Journey to Docker Production. Add picture here. Bret Fisher. DevOps Consultant Docker Captain Author of Udemy's Docker Mastery

SOFT CONTAINER TOWARDS 100% RESOURCE UTILIZATION ACCELA ZHAO, LAYNE PENG

Lightweight Containerization at Facebook

DevOps in the Cloud A pipeline to heaven?! Robert Cowham BCS CMSG Vice Chair

NGC CONTAINER. DU _v02 November User Guide

~Deep dive into Windows Containers and Docker~

Travis Cardwell Technical Meeting

Next Generation Tools for container technology. Dan

Docker Deep Dive. Daniel Klopp

Midterm Presentation Schedule

Best Practices for Developing & Deploying Java Applications with Docker

Container Deployment and Security Best Practices

NVIDIA DGX SYSTEMS PURPOSE-BUILT FOR AI

Docker & why we should use it

BUILDING A GPU-FOCUSED CI SOLUTION

CONTAINERIZING JOBS ON THE ACCRE CLUSTER WITH SINGULARITY

Splunk N Box. Splunk Multi-Site Clusters In 20 Minutes or Less! Mohamad Hassan Sales Engineer. 9/25/2017 Washington, DC

Allowing Users to Run Services at the OLCF with Kubernetes

OS Containers. Michal Sekletár November 06, 2016

Building A Better Test Platform:

Bright Cluster Manager: Using the NVIDIA NGC Deep Learning Containers

Introduction to Containers

Getting Started With Containers

Investigating Containers for Future Services and User Application Support

Amir Zipory Senior Solutions Architect, Redhat Israel, Greece & Cyprus

CSCE 410/611: Virtualization

Container mechanics in Linux and rkt FOSDEM 2016

OPENSTACK Building Block for Cloud. Ng Hwee Ming Principal Technologist (Telco) APAC Office of Technology

Docker and Oracle Everything You Wanted To Know

TEN LAYERS OF CONTAINER SECURITY. Kirsten Newcomer Security Strategist

Containerizing GPU Applications with Docker for Scaling to the Cloud

Service and Cloud Computing Lecture 10: DFS2 Prof. George Baciu PQ838

LENS Server Maintenance Guide JZ 2017/07/28

Networking & Security for Mesos

Sharing High-Performance Devices Across Multiple Virtual Machines

Virtual Infrastructure: VMs and Containers

The State of Rootless Containers

Bringing Security and Multitenancy. Lei (Harry) Zhang

DGX-1 DOCKER USER GUIDE Josh Park Senior Solutions Architect Contents created by Jack Han Solutions Architect

Remote Workflow Enactment using Docker and the Generic Execution Framework in EUDAT

Transcription:

State of Containers Convergence of Big Data, AI and HPC

Technology ReCap Comparison of Hypervisor and Container Virtualization

VM1 VM2 appa appb Userland Userland Kernel Kernel Operational Abstraction Services Hypervisor (type-2) end-user does not care... Host Kernel Hardware Traditional Virtualization VM-shortcuts Userland (PVM, pci-passthrough) Stacked View Cnt1 Cnt2 Services appa appb Userland Userland Userland Host Kernel Hardware Container Virtualization

Interface View From Application to Kernel lib-calls application libs application syscalls 102 kernel libs container hypercalls 101 kernel hypervisor (type-1) hw-calls hardware hardware Traditional Virtualization Container Virtualization

Technology ReCap Container Technology 101

Container Namespaces A starting container gets his own namespaces to keep track process of resources. But can share namespaces with other containers or even the host Host cnt0 MNT PID cnt1 NET IPC UTS cnt2 USR CGRP

CGroups While namespaces isolate, Control Groups constraint resources.

Storage Driver Handling OverlayFS The storage driver controls how images and containers are stored and managed on your Docker host. 1 qnib/uplain-cuda [6] libcuda1-384 1.5GB 1.39GB 5 6 [5] apt-get update 153MB config.json [1] ubuntu:16.04 Image layers R/O Container Layer 112MB qnib/uplain-cuda Thin R/W layer

Seccomp (SELinux,AppArmor) While namespaces isolate, Control Groups constraint resources, seccomp filters syscalls (sane default). (SELinux/AppArmor allow for system-wide filters) https://docs.docker.com/engine/security/seccomp/

Architecture ReCap Open-Source Container Technology 101

Runtime runc + containerd { "process": { runc "terminal": true, CLI tool for spawning and running containers according to the OCI specification "consolesize": { "height": 25, Shifter / Charlie Cloud / Singularity "width": 80 are not OCI compliant runtimes }, "user": { "uid": 1, "gid": 1, "additionalgids": [5,6] } } rootfs executed container runc config.json HPC-runtime workarounds

Runtime runc + containerd runc CLI tool for spawning and running containers according to the OCI specification containerd An industry-standard container runtime with an emphasis on simplicity, robustness and portability.

Architecture on Linux Docker Client Docker Compose Docker Registry Docker Swarm/K8s REST interface Docker Engine libnetwork libcontainerd containerd + Control Groups (cgroups) runc storage plugins HPC-runtime workarounds Namespaces (mnt,pid,ipc,...) Layer Capabilities AUFS,overlay,... Operating System Other OS Functionality

Architecture on Windows Docker Client Docker Compose Docker Registry Docker Swarm/K8s REST interface Docker Engine libcontainer libnetwork storage plugins Other OS Functionality Host Compute Service Control Groups Namespaces Layer Capabilities Job Objects Object Namespace, Process Table, Networking Registry, Union like filesystem extension Operating System

HPC Challenges Host-Agnostic vs. Host-Specific

Shared Systems Scientist self-service Compute Cluster Display Data Engine Engine Engine Engine rank0 rank1 rank2 rankn /home/ /scratch/ /proj/ Storage Service Cluster Create Data

Shared File-Systems Compute Jobs pin the user Compute jobs need to be imperative, as processes work closely together. UID:GID ownership can be handled within container Host Engine process 0 child 0.1 /home/alice/ /home/bob/ process 0 child 0.1

Honor Shared Environments Example Works as designed - host-agnostic! Best-practice (as of today) for containers suggest to do not trust the UID within the container at all! root@n40l:/home# ls -l total 16 drwx------ 2 alice alice 4096 Feb 17 11:12 alice drwx------ 2 bob bob 4096 Feb 17 11:11 bob root@n40l:~# su - bob bob@n40l:~$ docker run -ti --rm -v /home/:/home/ --user=$(id -u alice):$(id -g alice) \ ubuntu touch /home/alice/bob_was_here bob@n40l:~$ logout root@n40l:~# ls -l /home/alice/ total 0 -rw-r--r-- 1 alice alice 0 Feb 17 11:38 bob_was_here root@n40l:~#

Honor Shared Environments [proof-of-concept] Manipulating API payload via proxy $ docker run -v /var/run/:/var/run/ -ti --rm qnib/doxy:gpu doxy --proxy-socket=/var/run/hpc.sock --pattern-key=hpc \ --pin-user --user 1003:1003 2018/02/17 10:47:27 [II] Start Version: 0.2.4 2018/02/17 10:47:27 [doxy] Listening on /var/run/hpc.sock 2018/02/17 10:47:27 Serving proxy on '/var/run/hpc.sock' Alter User setting - Overwrite User with '1003:1003', was '1002:1002' bob@n40l:~$ docker -H unix:///var/run/hpc.sock create -v /home/:/home/ \ Mounts: [/home/:/home/] --user=$(id -u alice):$(id -g alice) ubuntu touch /home/alice/bob_tried 2117ed54e6063928db5c3ed7688a3ab96a3c60fcf3b54407fb27336dfe14e9de Alter User setting - Overwriting User with '1003:1003', was '1002:1002' Mounts: [/home/:/home/] charlie@n40l:~$ docker start -a 2117ed54e6063928db5c3ed7688a3ab96a3c60fcf3b54407fb27336dfe14e9de touch: cannot touch '/home/alice/bob_tried': Permission denied

Host-Agnostic vs. Host-Specific kernel-bypassing devices drivers can be part of the container, which bloats the container a local volume on the host, which adds/augments the library into the container These devices/drivers might be host-specific (e.g. different GPUs per host require different mappings) Docker Engine Host1 process1 GPU Host2 /lib/cuda/1.2.1 GPU Docker Engine /dev/nvidia1 process1 /lib/cuda/1.2 To use kernel-bypassing devices and drivers have to be present into a container /dev/nvidia0

Kernel-bypassing devices [proof-of-concept] Manipulating API payload via proxy p2.xlarge:/root/# docker run -v /var/run/:/var/run/ -ti --rm qnib/doxy:gpu doxy --proxy-socket=/var/run/hpc.sock \ --pattern-key=hpc --gpu --cuda-lib-path=/usr/lib/nvidia-384 2018/02/17 10:47:27 [II] Start Version: 0.2.4 2018/02/17 10:47:27 [doxy] Listening on /var/run/hpc.sock 2018/02/17 10:47:27 Serving proxy on '/var/run/hpc.sock' bob@p2.xlarge:~$ docker -H unix:///var/run/hpc.sock create ubuntu /usr/local/nvidia/bin/nvidia-smi -L a3307eefa31233bdcb36e161ffe0ef433d93f80e43cc1dfe9ee32c45c10dc50d Add GPU stuff New device: /dev/nvidia0:/dev/nvidia0 New device: /dev/nvidiactl:/dev/nvidiactl Mounts: [/usr/lib/nvidia-384:/usr/local/nvidia/] bob@p2.xlarge:~$ docker start -a a3307eefa31233bdcb36e161ffe0ef433d93f80e43cc1dfe9ee32c45c10dc50d GPU 0: Tesla K80 (UUID: GPU-4095713a-1f9b-791d-841d-8b35143127d4)

Underpin Orchestration Combine Data Lake and Distributed Compute

Engine vs. Workload Scheduler As of today, service orchestrators start containers unaware of shared systems HPC workload schedulers start userland processes within shared environment. SWARM Kubernetes HPC Workload Scheduler slurmd Docker Engine process1 process2 job-process1 job-process2 Shared System Shared System HPC-runtime workarounds

Engine serves Service and Workload Schedulers By making the Docker-Engine aware of shared environments and kernel-bypassing hardware, it can serve all use-cases. SWARM Kubernetes HPC Workload Scheduler Docker Engine process1 process2 Shared System job-process1

Outlook 2018 the year of High Performance Containers

Tentative Milestones Critical MVP milestones #1 Secure Operations and kernel-bypassing support #1.1 Secure Operation in shared environment In particular pinning a user to use his UID in shared file-systems, so that users are not able to access other userdata. #1.2 Transparent Support of kernel-bypassing Devices Host-specific GPU and Interconnects (e.g. InfiniBand) #2 Integration of Workload Scheduler #2.0 Integration of HPC workload schedulers As a reference the open-source and widely adopted scheduler SLURM should implement container scheduling. Other can follow.

Student Cluster Competition Docker is coaching the SCC-Team of the Student Cluster Competition at ISC 2018 in Frankfurt. Goals are: 1. Use of containerized auxiliary services (Monitoring, ) 2. Prototype workflow

Call For Action How to get involved? If you are already a customer of ours push for HPC/Big Data use-cases If not become one and push for HPC/Big Data use-cases To prepare for adoption: Enhance your operation / container knowledge by using DockerEE in non-hpc services Create Center-Of-Excellence for Containers Make yourself familiar with Supply Chain (a lot of gold here) Educating you Dev/Scientists/Engineers to use container (HPC) best-practices Ask for all of the above...

Mid-/Long-Term Containers are a gold-mine Reproducibility Bundle apps/libs using a Recipe (Dockerfile) Fosters collaboration optimize the user-land to best support the application, no need to consider impact to others. automate optimization with permuted pkg / config Fingerprint application (/workload) signed images (/content-hashes) ensure integrity battle-tested workload OR needs to run through Q&A? diskless Storage Driver? treat shared FS as object store for all image blobs burst-buffer as to instantiate file-system of container read-only input data as volume pre-loaded on host, used by containers Using Containers fine-grained observibility comes for free

THANK YOU :)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback