Early days yet, but playing with NERSC’s Shifter to let us use Docker containers safely on our test RHEL6 cluster is looking really interesting (given you can’t use Docker itself under RHEL6, and if you could the security concerns would cancel it out anyway).
To use a pre-built Ubuntu Xenial image, for instance, you tell it to pull the image:
[samuel@bruce ~]$ shifterimg pull ubuntu:16.04
There’s a number of steps it goes through, first retrieving the container from the Docker Hub:
2016-08-01T18:19:57 Pulling Image: docker:ubuntu:16.04, status: PULLING
Then disarming the Docker container by removing any setuid/setgid bits, etc, and repacking as a Shifter image:
2016-08-01T18:20:41 Pulling Image: docker:ubuntu:16.04, status: CONVERSION
…and then it’s ready to go:
2016-08-01T18:21:04 Pulling Image: docker:ubuntu:16.04, status: READY
Using the image from the command line is pretty easy:
[samuel@bruce ~]$ cat /etc/lsb-release LSB_VERSION=base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch [samuel@bruce ~]$ shifter --image=ubuntu:16.04 cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=16.04 DISTRIB_CODENAME=xenial DISTRIB_DESCRIPTION="Ubuntu 16.04 LTS"
shifter runtime will copy in a site specified
/etc/passwd, /etc/group and
/etc/nsswitch.conf files so that you can do user/group lookups easily, as well as map in site specified filesystems, so your home directory is just where it would normally be on the cluster.
[samuel@bruce ~]$ shifter --image=debian:wheezy bash --login samuel@bruce:~$ pwd /vlsci/VLSCI/samuel
I’ve not yet got to the point of configuring the Slurm plugin so you can queue up a Slurm job that will execute
inside a Docker container, but very promising so far!
Correction: a misconception on my part – Shifter doesn’t put a Slurm batch job inside the container. It could, but there are good reasons why it’s better to leave that to the user (soon to be documented on the Shifter wiki page for Slurm integration).