Last updated Apr 24, 2020 1:45 PM

Containers on Fiji

Containerization options and how to use Singularity

Containers are a popular way to package up a specific piece of software so that it's available to run consistently for anyone who wants to use it. The most popular technology to create and run containers today is Docker, and while that is the case, Docker poses some security threats that can be mitigated by using other technology. As such, BIT provides Singularity for users on the compute cluster. The good news is, it's easy to pull a Docker container image and "convert" it for use with Singularity, and when in doubt, BIT will always be available to help you with this process. Below, we document the most common Singularity use-cases, but for any additional questions or to request we build a container for you, please submit a ticket. Note: Any versions of containers that we've already built on Fiji are available in /scratch/Shares/public/singularity.

Singularity Versions on Fiji

While most software installed on Fiji is only available by using the modules system, there is a default Singularity version available to anyone once they login, and it's typically the newest. This version is built and packaged by the CentOS maintainers, so it is a trusted build and we are able to rely on it. To verify this, we can use which to see that it's in our path directly after logging in:

        -bash-4.2$ which singularity 
/bin/singularity
-bash-4.2$ singularity --version
singularity version 3.5.3-1.1.el7

You can still load a specific (older) version of Singularity using Lmod and the module commands. If you need a version you don't see listed, submit a ticket. To see all available Singularity versions:

        -bash-4.2$ module avail singularity 

--------------------------------------------------------- /opt/lmod/lmod/modulefiles/Core ---------------------------------------------------------
   singularity/2.4    singularity/3.1.1 (D)

  Where:
   D:  Default Module

Pulling and Running a Docker Container with Singularity

There's no doubt that most software you may want to utilize is available on the Docker Hub. Again, it's easy to use these images with Singularity. The example we always like to use is Graph Tool, as it's a very complicated tool to install properly on the compute cluster. Getting a Singularity image file for Graph Tool is easy, though (your output will likely differ slightly):

        -bash-4.2$ singularity pull docker://tiagopeixoto/graph-tool
INFO:    Converting OCI blobs to SIF format
INFO:    Starting build...
Getting image source signatures
Copying blob 98af9a19be0a done
Copying blob 13267b0e75e1 done
Copying blob 9a6d05523baa done
Copying blob 96dc953a2ee5 done
Copying blob 599c278814a2 done
Copying blob 66cfa2b1b045 done
Copying config 56a111ed71 done
Writing manifest to image destination
Storing signatures
2020/04/24 10:28:15  info unpack layer: sha256:98af9a19be0a78cd6a29877513123ce99750645f01b06f1ce480fd2bbaf8ed1a
2020/04/24 10:28:15  warn rootless{srv/ftp} ignoring (usually) harmless EPERM on setxattr "user.rootlesscontainers"
2020/04/24 10:28:15  warn rootless{usr/bin/newgidmap} ignoring (usually) harmless EPERM on setxattr "security.capability"
2020/04/24 10:28:15  warn rootless{usr/bin/newuidmap} ignoring (usually) harmless EPERM on setxattr "security.capability"
2020/04/24 10:28:27  info unpack layer: sha256:13267b0e75e1dba5e6e0d04f6efce12dc1414c6be33ff5597b3e582b5e18c836
2020/04/24 10:28:27  info unpack layer: sha256:9a6d05523baa730d768f222aaa5fd428bafdf8ae322cbad67f3d486d3cee7de2
2020/04/24 10:28:28  info unpack layer: sha256:96dc953a2ee5b8c3783f38e021e348c7d299562b9979ae4256c81eb3ec358323
2020/04/24 10:28:48  info unpack layer: sha256:599c278814a2a1ab37d32396dd3ba16be8ce315e2bca0bfa0c05ea5f486dc658
2020/04/24 10:29:07  info unpack layer: sha256:66cfa2b1b0452f2410eec06c6d7f8afb1b2d8580bc6972b7a99f727aa3ac12cc
INFO:    Creating SIF file...
INFO:    Build complete: graph-tool_latest.sif

Using the software in the container is just as easy! Let's assume you want to run an iPython session inside of the container (so you have access to Graph Tool). The singularity run command will allow you to do just that using your newly created Singularity image file:

        -bash-4.2$ singularity run graph-tool_latest.sif ipython
Python 3.8.2 (default, Feb 26 2020, 22:21:03) 
Type 'copyright', 'credits' or 'license' for more information
IPython 7.13.0 -- An enhanced Interactive Python. Type '?' for help.

In [1]:

Though there is no real indication other than the iPython prompt that appeared, rest-assured the iPython session is inside of the container and all libraries required to use Graph Tool are available, too!

Bind Paths in Containers

By default, you'll notice that inside of a container your home directory, /Users/<yourIdentikey>, is always available. In addition, the directory that you run a container from is also available. This means if you have your containers in your base scratch directory, /scratch/Users/<yourIdentikey>, you will have access to both your home and scratch directories in the container. You can see this for yourself by pulling a very simple CentOS container with no special software or tools available in it and checking for some files or folders in your home and scratch directories. Typically, a container like this is used as a building block or starting point for creating your own containers:

        -bash-4.2$ cd /scratch/Users/<yourIdentikey>
-bash-4.2$ singularity pull docker://centos
INFO:    Converting OCI blobs to SIF format
INFO:    Starting build...
Getting image source signatures
Copying blob 8a29a15cefae done
Copying config 348f8f553f done
Writing manifest to image destination
Storing signatures
2020/04/24 10:48:11  info unpack layer: sha256:8a29a15cefaeccf6545f7ecf11298f9672d2f0cdaf9e357a95133ac3ad3e1f07
2020/04/24 10:48:11  warn rootless{usr/bin/newgidmap} ignoring (usually) harmless EPERM on setxattr "security.capability"
2020/04/24 10:48:11  warn rootless{usr/bin/newuidmap} ignoring (usually) harmless EPERM on setxattr "security.capability"
2020/04/24 10:48:11  warn rootless{usr/bin/ping} ignoring (usually) harmless EPERM on setxattr "security.capability"
2020/04/24 10:48:14  warn rootless{usr/sbin/arping} ignoring (usually) harmless EPERM on setxattr "security.capability"
2020/04/24 10:48:14  warn rootless{usr/sbin/clockdiff} ignoring (usually) harmless EPERM on setxattr "security.capability"
INFO:    Creating SIF file...
INFO:    Build complete: centos_latest.sif

After pulling the container to your top-level scratch directory, execute a bash shell inside of it and check for your home and scratch directories to ensure they're available inside of the container. Note that by default, your pwd in the container is where you executed singularity run from! Also, to exit an interactive shell inside of a container, just type exit.

        -bash-4.2$ singularity run centos_latest.sif /bin/bash
Singularity> pwd
/scratch/Users/testuser
Singularity> cd /Users/testuser
Singularity> ls
centos_latest.sif  graph-tool_latest.sif  ubuntu_latest.sif
Singularity> cd /scratch/Users/testuser
Singularity> ls
centos_latest.sif  seq-data-cleanup  test_run_folder
Singularity> exit
exit
-bash-4.2$

There will be cases where you want to include other (potentially many!) paths in your container environment, though. Or sometimes you can just use custom bind paths to trick software into writing things somewhere more convenient. For example, let's assume you want to run a program, available in a container, that writes many, many GB to /tmp. On a standard Fiji compute node, /tmp is only 100G, so you will definitely run out of space. We can bind /tmp in our container to /scratch/Users/<yourIdentikey> on the underlying filesystem. For all of the following, you are going to use the same base CentOS image as before. To demonstrate in full, first create a tmp directory in your own scratch space:

        -bash-4.2$ mkdir /scratch/Users/testuser/tmp

Next, execute a bash shell inside of the container using singularity run. This time, though, be sure to note the bind path to add to your command. Once inside of the container, navigate to /tmp, use touch to create a new, empty file, exit the container, and you'll see that it was actually created in your tmp directory on scratch:

        -bash-4.2$ singularity run -B /scratch/Users/testuser/tmp:/tmp centos_latest.sif /bin/bash
Singularity> cd /tmp
Singularity> touch mynewfile
Singularity> exit
-bash-4.2$ # we're back OUTSIDE of the container now 
-bash-4.2$ cd /scratch/Users/testuser/tmp
-bash-4.2$ ls
mynewfile

Choosing where to store temporary files created inside of a container isn't the only use for bind paths, though, so adapt them to suit your needs! This is the primary means for accessing data in a container that originates outside of the container, and for ensuring data created inside of the container is available after the container finishes running.

Container Caveats

Of course with ANY software or technology, especially depending on implementation, there are some drawbacks and caveats. Here are a few things to be mindful of on Fiji.

  1. root access is required for building containers (using singularity build). If you want a container built directly on Fiji, you will have to submit a ticket to request assistance. Otherwise, you are welcome to build the container on your own machine and copy it onto Fiji. Usually this will work even across different versions of Singularity.
  2. Trying to inject software int provided by modules (anything in /opt on Fiji) into your container through the use of bind mounts occasionally works, but often it doesn't. The best results come when you are using a CentOS 7 container while trying this, as all of our software is built and tested on CentOS 7.

singularity containers docker
Posted in Category: Cluster Computing