We support the containerization tool Singularity in O2, Singularity allows users to execute software containers within regular O2 jobs and it is fully compatible with existing Docker images.
How to import Singularity or Docker containers in O2
The Singularity software is available by default (no module needed) from any compute node on the O2 cluster; however, due to security concerns, singularity can only be used to run images that have been tested and approved. The testing process is fully automated, and can be initiated by any users.
To test and deploy a singularity container in O2 you need to submit it using our csubmitter tool, which works only from within O2 jobs and does not work from login nodes.
Make sure to request at least 8GB of memory with your O2 job to use the csubmitter tool
First start an interactive O2 job and load the csubmitter module with:
where ProjectName is a name you assign to the container project. You will be able to replace a container with a new one by submitting the new container using the same ProjectName
The flag --image-path must be followed by the path to the container file to be scanned. It is also possible to scan and import a container directly from a web repository, as shown in the example below:
When the testing is completed the Status will report as processed and if no vulnerability is found the Scan Gradewill report Passand the container file will be available under /n/app/singularity/containers/$USER/
It is also possible to see detailed information about a specific container request using the command csumbitter --status <id>where <id> is the ID number of the desired container.
You can also run the command csubmitter --helpto see more information about this command.
More details about the csubmitter tool are available here
The csubmitter tool is still in a pilot-test stage and might not work properly all the times.
If you notice that after a day your container has not been processed, please let us know at firstname.lastname@example.org
How to prepare your Docker container to pass the csubmitter scan
The csubmitter scan checks for vulnerability in the container software. To avoid a failing a scan, make sure that all system libraries inside your Docker container are the last version available. Usually this can be done by running the command apt update and apt-get upgrade (or the equivalent command for the OS used inside the container) at the end of the installation process.
When installing a pre-built container directly from a repository the easiest approach is to create a Singularity definition file and bootstrap the Singularity container from the desired Docker container.
For example, if you needed to install the Docker container ubuntu:latest you can create a Singularity definition file (my_container.def in this example) containing the following lines:
this will build the singularity container starting from the desired Docker container but will also update all system libraries from the original container. You can use the above template to install your desired Docker container.
How to run Singularity containers in O2
Once a container has been approved and moved under the path /n/app/singularity/containersit can be used in O2 within any Slurm Interactive srunor sbatch job.
The singularity executable is not available on login nodes, to execute your container you must be running an interactive or batch slurm job
The most common utilization of singularity containers is to start a shell within the container using the command singularity shell /path/to/container_file as in the example below:
Access permissions for those filesystem is preserved inside the container.
By default not all env variables might be ported inside the singularity container. If a variable defined outside Singularity needs to be ported inside the container and it is not available by default, it can be pre-set outside the container with the prefix SINGULARITYENV_. For example the variable FOO can be ported inside the singularity container by presetting it as SINGULARITYENV_FOO