Docker
Introduction
Containers are a way to package an environment along with an executable so that no additional installation or setup is required to run it on a different machine. Docker is a container solution that is designed for use on personal desktops and virtual machines. If you have previously used Docker, you can use Docker on ACES to help you make the transition to HPC.
The basic element of a container solution is an image. An image is a bundle of files that includes a self-contained environment with both installed executables and the system libraries they depend on. The container runtime mediates between the libraries in the image and the libraries on the host system. In the case of HPRC, the container runtime software options we support are Charliecloud and Singularity. They can both read many common container image file formats, including Docker. The Docker runtime is provided on ACES to help you make the transition to a supported HPC runtime.
This page describe how to fetch and run Docker containers on ACES.
Why use Containers
- Shareability: you can share your container image file with others by uploading it to a public repository, and download files shared by others.
- Portability: you can use image files made for any computer with the same architecture (x84-64).
- Reproducibility: cluster environments can change whenever the locally installed software gets updated. Container users are largely unaffected by this.
Why use Docker
- Community: DockerHub boasts the largest group of existing container users.
Docker Tutorial
The topics covered in this documentation are minimal. Visit Dockers's documentation for a more complete tutorial.
Docker at HPRC
Rootless Docker is installed on the ACES cluster. (It not installed on Grace, FASTER, or Launch)
Rootless mode allows running the Docker daemon and containers as a non-root user to mitigate potential vulnerabilities in the daemon and the container runtime. Rootless mode executes the Docker daemon and containers inside a user namespace.
Docker Software
Docker is provided through our module system. The version may vary.
module load docker-user
Additionally, docker-user has a user-specific setup step. This step is needed to install Docker configuration files in your home directory, which is present on all nodes. It is recommended to do this step on a login node. The setup tool will configure the default Docker context based on the current value of XDG_RUNTIME_DIR, which is well-defined on login nodes.
To enable docker-user for the current user:
dockerd-rootless-setuptool.sh install --skip-iptables
To disable docker-user for the current user:
dockerd-rootless-setuptool.sh uninstall --skip-iptables
Cluster Node Usage
Docker is available on login nodes and compute nodes. It is recommended to perform Docker tasks for large images on a compute node because they may be too resource-intensive for login nodes.
- For resource-heavy activities, access a compute node using
srun
or the VNC app from the Interactive Apps menu in the Portal.- Docker is not recommended for use in batch jobs.
- For resource-light activities, access a login node using the _cluster Shell access app from the Clusters menu in the Portal.
A Docker process (for example, the Docker Daemon process) that is started on one node may have undefined behavior if Docker is already running on a different node, since they will both be trying to read and write from the shared home directory. It is recommended to stop your Docker processes on each node when it is not in use, so that when you start again on a different node there is not a collision.
Docker Data
Docker saves data on disk in your home directory.
$ docker info ... Docker Root Dir: /home/username/.local/share/docker ...
Docker creates a lot of data and may easily overfill your file quota. Consider migrating this directory to the /scratch
or /tmp
filesystem. See our FAQ for more tips about this.
Docker Daemon
Docker commands do not function unless a Docker Daemon process is running on the current node. Otherwise, you may see an error like this:
ERROR: Cannot connect to the Docker daemon at unix:///run/user/5000/docker.sock. Is the docker daemon running?
When you first setup Docker configuration in your home directory using the dockerd-rootless-setuptool.sh
script, it will attempt to start the Docker Daemon on the current node for your convenience.
At all other times, you must manage your own Docker Daemon process.
Warning: It is recommended to only have Docker Daemon running on one node at a time.
Managing Docker Daemon on Login Nodes
Docker Daemon on login nodes is managed by the systemctl
tool in --user
mode.
To check if Docker Daemon is running on the current node:
systemctl --user status
Compare the output to the following table:
Docker Daemon running on login node HOSTNAME | Docker Daemon not running on login node HOSTNAME |
● HOSTNAME State: running Jobs: 0 queued Failed: 0 units Since: ... CGroup: /user.slice/user-50000.slice/user@50000.service ├─docker.service │ ├─2994871 rootlesskit ... │ ├─2994878 /proc/self/exe ... │ ├─2994888 vpnkit ... │ ├─2994906 dockerd --iptables=false │ └─2994954 containerd ... └─init.scope ├─2783501 /usr/lib/systemd/systemd --user └─2783503 (sd-pam) |
● HOSTNAME State: running Jobs: 0 queued Failed: 0 units Since: ... CGroup: /user.slice/user-50000.slice/user@50000.service └─init.scope ├─2783501 /usr/lib/systemd/systemd --user └─2783503 (sd-pam) |
To start the Docker Daemon on the current node:
systemctl --user start docker.service
To stop the Docker Daemon on the current node:
systemctl --user stop docker.service
Warning: It is recommended to only have Docker Daemon running on one node at a time.
Managing Docker Daemon on Compute Nodes (VNC method)
You will need two terminal windows. One to manage the Docker Daemon, and another to execute Docker commands. Right-click (or long click) on the background outside a terminal window top open the Fluxbox menu and click 'xterm' to create an additional terminal window. It may be necessary to close the browser window and reconnect to the VNC session if it doesn't work right away.
Compute nodes don't have systemctl --user
enabled, so you must start the Docker Daemon manually. Some extra variables are required to set this up. In one terminal window:
export XDG_RUNTIME_DIR=$HOME/.docker/run
export DOCKER_HOST=unix://${XDG_RUNTIME_DIR}/docker.sock
module load docker-user
dockerd-rootless.sh
The process will produce a lot of output. The Daemon is ready when you see a line like this:
INFO[...] API listen on /home/username/.docker/run/docker.sock
In the other terminal window, simply load the module.
module load docker-user
To stop the Docker Daemon manually, select its terminal window and use ctrl+c
to terminate.
Warning: It is recommended to only have Docker Daemon running on one node at a time.
Managing Docker Daemon on Compute Nodes (srun method)
To reach a compute node interactively, use the slurm command srun
with the interactive arguments. Read more about ACES slurm options.
srun --pty bash -i
Compute nodes don't have systemctl --user
enabled, so you must start the Docker Daemon manually. Some extra variables are required to set this up. Start the Docker Daemon as a background process using &
.
mkdir -p $HOME/.docker/run
export XDG_RUNTIME_DIR=$HOME/.docker/run
export DOCKER_HOST=unix://${XDG_RUNTIME_DIR}/docker.sock
module load docker-user
dockerd-rootless.sh &
The process will produce a lot of output. The Daemon is ready when you see a line like this:
INFO[...] API listen on /home/username/.docker/run/docker.sock
Press ↵ Enter
or return
to recover your shell prompt.
To stop the Docker Daemon manually, use fg
to bring the process out of the background and then ctrl+c
to terminate.
Warning: It is recommended to only have Docker Daemon running on one node at a time.
Running with Docker
Note: ensure you have loaded the docker-user module and the Daemon is running on the current node.
- Reminder:
module load docker-user
- Reminder:
systemctl --user start docker.service
on login nodes (recommended)
To test if Docker runs,
docker run hello-world
Interactive Example
To execute the default executable for a given container image,
docker run <image-name>
To execute a specific executable within a container, use the --entrypoint
option.
To start an interactive session with a container, add the -it
option.
For example, an interactive shell using the almalinux
container image:
docker run -it --entrypoint /bin/bash almalinux
$ docker run -it --entrypoint /bin/bash almalinux # ls afs bin dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var # exit $
Additional Docker Options
To set additional environment variables, add the -e
option for each variable.
-e VAR=value -e VAR=value ...
To enable use with NVIDIA GPUS, add the --gpus all
option.
To mount an external filesystem such as /scratch
, use the -v
option for each directory. Separete paths with :
if the paths outside and inside will be different.
-v /scratch -v /tmp:/tmp_inside_container
To control memory usage, Docker has these options.
--ulimit memlock=-1 --ulimit stack=67108864 --shm-size=8g --ipc=host
Runtime Limitations
Rootless Docker cannot be used to set a new network address space. You must use the host network address space. If the container does not do this by default, you may need to add the --net=host
option. See https://docs.docker.com/engine/security/rootless/#known-limitations for additional details.
Docker can sometimes have permission issues with parallel filesystems such as Lustre, because the user identity in the container may not match the user identity on the remote file server node. This may or may be a problem in your container, depending on how the image was configured.
Container images
Container images are found in both public and private repositories available on the internet.
Caution: Docker Hub and many other container repos are public repositories; do not trust unverified sources!
Warning: downloading a large image file is resource-intensive and takes a long time.
Warning: container images are very large on disk, and may easily overfill your file quota.
Fetching from Docker Hub
Connecting to Docker Hub require internet access. In order to access the internet from compute nodes, use the Web Proxy module (not required on login nodes).
module load WebProxy
docker pull
can automatically download docker images from Docker Hub. Read more about docker repositories.
docker pull <image>
Image storage
Use this command to inspect what images are stored in your local image repository. This repository will be in your home directory, unless you have relocated it (see Docker Data, above).
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE hello-world latest bf756fb1ae65 5 months ago 13.3kB
Docker to Singularity
Convert a Docker image into a Singularity image (.sif
) using Singularity/Apptainer.
(For more details, see our Singularity page).
Required: do this on a compute node where your Docker Daemon is running (See Managing Docker Daemon on Compute Nodes, above)
export SINGULARITY_CACHEDIR=$TMPDIR
singularity build image.sif docker-daemon://<image>
Docker to Charliecloud
Convert a Docker image into a Squashfs image (.sqfs
) using Charliecloud.
(For more details, see our Charliecloud page.)
Required: do this on a node where your Docker Daemon is running.
module load charliecloud
ch-convert -i docker <image> image.sqfs