Apptainer: Difference between revisions

Jump to navigation Jump to search

Apptainer (view source)

Revision as of 18:29, 12 August 2022

2,290 bytes added ,  2 years ago
no edit summary
No edit summary
No edit summary
Line 1: Line 1:
{{Draft}}
{{Draft}}
=Notice=
=Notices=


This page is '''draft work-in-progress'''. At the time of writing (August 2022) Apptainer version 1.1 is in release candidate status and the full release may well induce further updates to this page. (This page's current content is correct for Apptainer version 1.0.)
This page is '''draft work-in-progress'''. At the time of writing (August 2022) Apptainer version 1.1 is in release candidate status and the full release may well induce further updates to this page. (This page's current content is correct for Apptainer version 1.0.)
==Official Apptainer Documentation==
This page is neither exhaustive nor all-features complete and does not replace [http://apptainer.org/docs|Apptainer's official documentation], rather, it summarizes basic use, documents some aspects of using Apptainer on Alliance systems, and provides some examples relevant in using Apptainer on Alliance systems. We recommend all users read the official Apptainer documentation concerning the features of Apptainer they are using.


==If Currently Using Singularity==
==If Currently Using Singularity==
Line 36: Line 40:


===Important Items===
===Important Items===
====<code>sudo</code> Access With Apptainer is NOT Available====
====<code>sudo</code>====


Many users ask about this since documentation and web sites do discuss using <code>sudo</code> with Apptainer/Singularity. A major design aspect of Apptainer is security and know that <code>sudo</code> access is '''NOT''' available on our clusters. Should you require using <code>sudo</code>, consider the following:
Many users ask about <code>sudo</code> since documentation and web sites often discuss using <code>sudo</code>. Know the ability to use <code>sudo</code> to obtain root permissions is not available on our clusters. Should you require using <code>sudo</code>, consider the following options:


* Install Linux, Apptainer, and <code>sudo</code> in a virtual machine on a system you control where so you will be able to have <code>sudo</code> access within such. (Some images cannot be successfully built without using sudo.)
* Install Linux, Apptainer, and <code>sudo</code> in a virtual machine on a system you control so you will be able to have <code>sudo</code> access within such. Build your image(s) on that machine and upload them in order to use them on Alliance systems.
* If appropriate, [[Technical Support|submit a ticket]] asking if Alliance staff would be able to help build the image(s), etc. required needing <code>sudo</code>. (Understand that this may or may not be possible --but ask in a ticket if what you wish to achieve is beyond your means: there may be other ways to achieve those needs.)
* If appropriate, [[Technical Support|submit a ticket]] asking if Alliance staff would be able to help build the image(s), etc. required needing <code>sudo</code>. (Understand that this may or may not be done/possible --but feel free to ask such in a ticket if what you wish to achieve is beyond your means. Additionally, we may respond with other ways to achieve such with may or may not involve Apptainer.)
* Apptainer version 1.1 (which has not yet been released as of this writing (August 2022)), may well allow users to use the <code>--fakeroot</code> option with various Apptainer commands. After such has been released, this web page will be updated after the feature has been explored more, tested, and installed on our clusters.
 
NOTE: Apptainer version 1.1, which as of August 2022 has release candidate status only, may well allow users to easily use the <code>--fakeroot</code> option with various Apptainer commands. Such should make it possible to do various things without <code>sudo</code>. If so, after Apptainer version 1.1 has been released, this web page will be updated concerning such.


====Important Command Line Options====
====Important Command Line Options====
Line 62: Line 67:
|}
|}


Additionally there is another option, <code>-W</code> or <code>--workdir</code>, one should consider using. On our clusters (and on most Linux systems), the <code>/tmp</code> and similar filesystems use RAM --not disk space-- and jobs are run on our clusters typically with limited RAM requests. This can result in jobs getting killed because they consume too much RAM (relative to what was requested). A suitable work-around for this is to tell Apptainer to use a "workdir" for such filesystems, <code>$HOME</code> (if <code>-c</code> is also used), etc. This is done by passing the <code>-W</code> option followed by a path to a disk space location where Apptainer can read/write temporary files, etc.
There is another important option, <code>-W</code> or <code>--workdir</code>, one should consider using. On Alliance clusters and on most Linux systems, <code>/tmp</code> and similar filesystems use RAM --not disk space. Since jobs typically run on our clusters with limited RAM amounts, this can easily result in jobs getting killed because they consume too much RAM relative to what was requested for the job. A suitable work-around for this is to tell Apptainer to use actual disk space location for its "workdir". This is done by passing the <code>-W</code> option followed by a path to a disk space location where Apptainer can read/write temporary files, etc. For example, suppose one wanted to run a command <code>myprogram</code> in a using an Apptainer container image called <code>myimage.sif</code> with its "workdir" set to <code>$HOME/aworkdir</code> in the filesystem:
 
<source lang="console">$ mkdir -p $HOME/aworkdir
$ apptainer run -C -B /home -W $HOME/aworkdir myimage.sif myprogram</source>
 
where:
* The workdir directory can be removed if there are no live containers using it.
* When using Apptainer in an <code>salloc</code> or an <code>sbatch</code> job, use <code>${SLURM_TMPDIR}</code> for the "workdir" location, e.g., <code>-W ${SLURM_TMPDIR}</code>.
** ASIDE: One should '''not''' be running programs (including using Apptainer) on a login node: use an interactive <code>salloc</code> job.
* When using bind mounts, see the [[Bind_Mounts|section on bind mounts]] below since not all Alliance clusters are the same concerning the exact bind mounts that are needed to access <code>/home</code>, <code>/project</code>, and <code>/scratch</code>.


====Using GPUs====
====Using GPUs====
Line 77: Line 91:
====Using MPI Programs====
====Using MPI Programs====


If you want to run MPI programs inside a container there are things that need to be done in the host environment in order for such to work. Please see the [[#Running_MPI_Programs_Inside_an_Apptainer Container|Running MPI Programs section below]] for an example of how to run MPI programs inside a container.
If you want to run MPI programs inside a container there are things that need to be done in the host environment in order for such to work. Please see the [[#Running_MPI_Programs_Inside_an_Apptainer Container|Running MPI Programs section below]] for an example of how to run MPI programs inside a container. The official Apptainer documentation has more information concerning how MPI programs can be run inside a container.


===Container-Specific Help: <code>apptainer run-help</code>===
===Container-Specific Help: <code>apptainer run-help</code>===
Line 113: Line 127:
==Building an Apptainer Container/Image==
==Building an Apptainer Container/Image==


Apptainer images can be created in the following formats:
Apptainer "images" can be created in the following formats:


* as an <code>SIF</code> file, or,
* as an <code>SIF</code> file, or,
* as a "sandbox" directory.
* as a "sandbox" directory.


<code>SIF</code> files can contain multiple sections where each section is normally a squashfs, i.e., read-only and compressed, filesystem although read-write filesystems and overlay images can also be added to the <code>SIF</code> file. That said, unless such additional sections are present, one need not be concerned about the sections contained within an <code>SIF</code> file, e.g., the Apptainer <code>build</code> command produces a read-only <code>SIF</code> file when building images.
<code>SIF</code> files internally can contain multiple parts where each part is typically a squashfs filesystem (which are read-only and compressed). It is possible for <code>SIF</code> files to contain read-write filesystems and overlay images as well --but such is beyond the scope of this page: see the official Apptainer documentation on how to do such. Unless more advanced methods of building an "image" were used, the Apptainer <code>build</code> command produces a <code>SIF</code> file with a read-only squashfs filesystem when building images. (This is the preferred option since the resulting image remains as-is since it is read-only, and, the image is much smaller since it is compressed. Know that disk reads from that image are done very quickly.)


A "sandbox" directory is a normal directory in the filesystem that starts out as empty and as Apptainer builds the image it adds the files, etc. needed in the image to that directory. The contents of a "sandbox" directory should only be accessed, updated, etc. through the use of Apptainer. One might need to use a "sandbox" directory in situations where one needs read-write access in order to be able to update the container image. (By default <code>SIF</code> files are read-only.)
A "sandbox" directory is a normal directory in the filesystem that starts out as empty and as Apptainer builds the image it adds the files, etc. needed in the image to that directory. The contents of a "sandbox" directory should only be accessed, updated, etc. through the use of Apptainer. One might need to use a "sandbox" directory in situations where one needs to have read-write access to the image itself in order to be able to update the container image. That said, if updates are infrequent, it is typically easier and better to use an <code>SIF</code> and when updates need to be done, build a sandbox image from the <code>SIF</code> file, make the required changes, and then build a new <code>SIF</code> file, e.g.,


If the container image will not need to be updated, one should create an <code>SIF</code> file image as disk performance with such is much faster, e.g.,
<source lang="console">$ cd $HOME
$ mkdir mynewimage.dir
$ apptainer build mynewimage.dir myimage.sif
$ apptainer shell --writable mynewimage.dir
Apptainer> # Run commands to update mynewimage.dir here.
Apptainer> exit
$ apptainer build newimage.sif mynewimage.dir
$ rm -rf mynewimage.dir</source>


* an <code>SIF</code> file, which can be many gigabytes in size, is a single file which will result in excellent disk access performance and inode use on underlying filesystems,
Using an <code>SIF</code> image is recommended as disk performance (from the container image) will be faster than storing each file, etc. separately on Alliance cluster filesystems (which are set up to handle large files and parallel I/O). Using an <code>SIF</code> file instead of a sandbox image will also only use a quota file count amount of 1 instead of thousands (e.g., images will typically contain thousands of files and directories).
* an <code>SIF</code> file, is (typically) read-only and compressed further improving disk access speeds, and,
* an <code>SIF</code> file that is read-only can be used with bind-mounted directories and/or overlay images that are not read-only should such be needed.


===Building a Sandbox Directory===
===Building a Sandbox Directory===
Preney
cc_staff
156

edits

Retrieved from "https://docs.alliancecan.ca/wiki/Special:MobileDiff/118652"

Navigation menu