技術背景
容器化技術在各種生產領域已經得到了廣泛的應用,這得益於容器的輕量化(相比於虛擬機而言),安全性(隔離弱於虛擬機,但是權限控制得當的情況下也可以認為是安全隔離的)以及系統級虛擬化帶來的高可用性(基於NameSpace和cgroup)。雖然現在各大平台的兼容性有趨同的勢頭,比如Windows推出了WSL子系統,使得用戶在Windows機器上也可以很輕松的搭建Linux環境。但是容器依然保持着它的熱度,這說明它的可用性並不是一個系統組件就可以替代的。前面幾篇文章中我們介紹過Docker容器和Singularity容器的用法,這里我們再講講Singularity容器的非源碼安裝方法(Manjaro Linux平台),以及修改靜態容器鏡像文件的方法。
非源碼安裝Singularity
Arch Linux平台總是能有一些比較快速的更新,當前CentOS和Manjaro都已經支持了Singularity容器的直接安裝,而Ubuntu目前是還不支持這種方式的,只能采取源碼安裝。這里介紹Manjaro Linux平台下的安裝方案,只需要一行命令:
[dechin-root sgcontainer]# pacman -S singularity-container
正在解析依賴關系...
正在查找軟件包沖突...
軟件包 (1) singularity-container-3.7.2-2
下載大小: 16.85 MiB
全部安裝大小: 107.35 MiB
:: 進行安裝嗎? [Y/n] Y
:: 正在獲取軟件包......
singularity-cont... 16.8 MiB 6.61 MiB/s 00:03 [##################] 100%
(1/1) 正在檢查密鑰環里的密鑰 [##################] 100%
(1/1) 正在檢查軟件包完整性 [##################] 100%
(1/1) 正在加載軟件包文件 [##################] 100%
(1/1) 正在檢查文件沖突 [##################] 100%
(1/1) 正在檢查可用存儲空間 [##################] 100%
:: 正在處理軟件包的變化...
(1/1) 正在安裝 singularity-container [##################] 100%
:: 正在運行事務后鈎子函數...
(1/1) Arming ConditionNeedsUpdate...
安裝完成后,可以驗證一下Singularity的版本:
[dechin-root sgcontainer]# singularity --version
singularity version 3.7.2
這里的3.7.2已經是比較早期的版本了,現在都已經推出了3.8的版本。目前Singularity基本保持半個月一個版本的更新速度,很多CVE基本可以較快的解決,這一點非常重要。關於Singularity的總體用法可以參考這個官方的幫助手冊:
[dechin@dechin-manjaro sgcontainer]$ singularity --help
Linux container platform optimized for High Performance Computing (HPC) and
Enterprise Performance Computing (EPC)
Usage:
singularity [global options...]
Description:
Singularity containers provide an application virtualization layer enabling
mobility of compute via both application and environment portability. With
Singularity one is capable of building a root file system that runs on any
other Linux system where Singularity is installed.
Options:
-c, --config string specify a configuration file (for root or
unprivileged installation only) (default
"/etc/singularity/singularity.conf")
-d, --debug print debugging information (highest verbosity)
-h, --help help for singularity
--nocolor print without color output (default False)
-q, --quiet suppress normal output
-s, --silent only print errors
-v, --verbose print additional information
--version version for singularity
Available Commands:
build Build a Singularity image
cache Manage the local cache
capability Manage Linux capabilities for users and groups
config Manage various singularity configuration (root user only)
delete Deletes requested image from the library
exec Run a command within a container
help Help about any command
inspect Show metadata for an image
instance Manage containers running as services
key Manage OpenPGP keys
oci Manage OCI containers
plugin Manage Singularity plugins
pull Pull an image from a URI
push Upload image to the provided URI
remote Manage singularity remote endpoints, keyservers and OCI/Docker registry credentials
run Run the user-defined default command within a container
run-help Show the user-defined help for an image
search Search a Container Library for images
shell Run a shell within a container
sif siftool is a program for Singularity Image Format (SIF) file manipulation
sign Attach digital signature(s) to an image
test Run the user-defined tests within a container
verify Verify cryptographic signatures attached to an image
version Show the version for Singularity
Examples:
$ singularity help <command> [<subcommand>]
$ singularity help build
$ singularity help instance start
For additional help or support, please visit https://www.sylabs.io/docs/
默認的安裝路徑會在/etc/singularity下生成一系列的配置文件,如果是手動編譯安裝,采用unpriv模式安裝的話可以配置其他的路徑(這一點很重要,在沒有root權限的賬號下安裝和使用容器的情況下肯定用得到)。
[dechin-manjaro sgcontainer]# ll /etc/singularity/
總用量 40
-rw-r--r-- 1 root root 0 3月 11 13:45 capability.json
drwxr-xr-x 2 root root 4096 4月 4 21:48 cgroups
-rw-r--r-- 1 root root 1095 3月 11 13:45 ecl.toml
-rw-r--r-- 1 root root 0 3月 11 13:45 global-pgp-public
drwxr-xr-x 2 root root 4096 4月 4 21:48 network
-rw-r--r-- 1 root root 1344 3月 11 13:45 nvliblist.conf
-rw-r--r-- 1 root root 107 3月 11 13:45 remote.yaml
-rw-r--r-- 1 root root 927 3月 11 13:45 rocmliblist.conf
drwxr-xr-x 2 root root 4096 4月 4 21:48 seccomp-profiles
-rw-r--r-- 1 root root 10642 3月 11 13:45 singularity.conf
從dockerhub拉取ubuntu鏡像
首先我們可以在拉取的路徑前加上docker的標識符,使得我們可以從dockerhub上面下載相關的鏡像,對與docker鏡像的支持,也是Singularity容器的一大優勢:
[dechin@dechin-manjaro singularity]$ singularity build --sandbox ubuntu docker://ubuntu
WARNING: 'nodev' mount option set on /tmp, it could be a source of failure during build process
INFO: Starting build...
Getting image source signatures
Copying blob a70d879fa598 done
Copying blob c4394a92d1f8 done
Copying blob 10e6159c56c0 done
Copying config 10bdc2317d done
Writing manifest to image destination
Storing signatures
2021/04/19 16:30:28 info unpack layer: sha256:a70d879fa5984474288d52009479054b8bb2993de2a1859f43b5480600cecb24
2021/04/19 16:30:29 info unpack layer: sha256:c4394a92d1f8760cf7d17fee0bcee732c94c5b858dd8d19c7ff02beecf3b4e83
2021/04/19 16:30:29 info unpack layer: sha256:10e6159c56c084c858f5de2416454ac0a49ddda47b764e4379c5d5a147c9bf5f
INFO: Creating sandbox directory...
INFO: Build complete: ubuntu
如果是使用build模式,會在當前路徑下生成一個剛才命名好的文件夾,這個文件夾中包含所有系統虛擬化所需要的文件:
[dechin@dechin-manjaro singularity]$ ll
總用量 4
drwxr-xr-x 18 dechin dechin 4096 4月 19 16:30 ubuntu
我們可以直接在這個路徑下拉起剛才生成的目錄,將其作為一個系統鏡像來使用:
[dechin@dechin-manjaro singularity]$ singularity shell -w ubuntu
WARNING: Skipping mount /etc/localtime [binds]: /etc/localtime doesn't exist in container
Singularity> cp -a /etc/apt/sources.list /etc/apt/sources.list.bak
Singularity> sed -i "s@http://.*archive.ubuntu.com@http://repo.huaweicloud.com@g" /etc/apt/sources.list
Singularity> sed -i "s@http://.*security.ubuntu.com@http://repo.huaweicloud.com@g" /etc/apt/sources.list
Singularity> apt-get update
Get:1 http://repo.huaweicloud.com/ubuntu focal InRelease [265 kB]
Get:2 http://repo.huaweicloud.com/ubuntu focal-updates InRelease [114 kB]
Get:3 http://repo.huaweicloud.com/ubuntu focal-backports InRelease [101 kB]
Get:4 http://repo.huaweicloud.com/ubuntu focal-security InRelease [109 kB]
Get:5 http://repo.huaweicloud.com/ubuntu focal/restricted amd64 Packages [33.4 kB]
Get:6 http://repo.huaweicloud.com/ubuntu focal/universe amd64 Packages [11.3 MB]
Get:7 http://repo.huaweicloud.com/ubuntu focal/multiverse amd64 Packages [177 kB]
Get:8 http://repo.huaweicloud.com/ubuntu focal/main amd64 Packages [1275 kB]
Get:9 http://repo.huaweicloud.com/ubuntu focal-updates/restricted amd64 Packages [271 kB]
Get:10 http://repo.huaweicloud.com/ubuntu focal-updates/multiverse amd64 Packages [29.6 kB]
Get:11 http://repo.huaweicloud.com/ubuntu focal-updates/universe amd64 Packages [950 kB]
Get:11 http://repo.huaweicloud.com/ubuntu focal-updates/universe amd64 Packages [950 kB]
Get:13 http://repo.huaweicloud.com/ubuntu focal-backports/universe amd64 Packages [4305 B]
Get:14 http://repo.huaweicloud.com/ubuntu focal-security/main amd64 Packages [773 kB]
Get:15 http://repo.huaweicloud.com/ubuntu focal-security/universe amd64 Packages [683 kB]
Get:16 http://repo.huaweicloud.com/ubuntu focal-security/restricted amd64 Packages [239 kB]
Get:17 http://repo.huaweicloud.com/ubuntu focal-security/multiverse amd64 Packages [21.6 kB]
Fetched 3260 kB in 2s (1626 kB/s)
Reading package lists... Done
這里加上-w的目的是為了在這些文件沙箱中保持修改的配置和內容,因為比較正規的使用方法是將這個文件沙箱制作成一個sif的鏡像文件后來使用,所以這一步相當於還是在為制作本地定制化的鏡像做准備。此時我們進入容器的shell之后,可以查看當前的系統版本:
Singularity> cat /etc/issue
Ubuntu 20.04.2 LTS \n \l
我們發現拉取容器時默認從庫上拉取了最新的Ubuntu 20.04的版本。
從dockerhub拉取centos鏡像
類似的方法,我們可以從dockerhub上拉取一個centos的鏡像:
[dechin@dechin-manjaro singularity]$ singularity build --sandbox centos76 docker://centos:7.6.1810
WARNING: 'nodev' mount option set on /tmp, it could be a source of failure during build process
INFO: Starting build...
Getting image source signatures
Copying blob ac9208207ada done
Copying config 5f85193732 done
Writing manifest to image destination
Storing signatures
2021/04/19 17:24:49 info unpack layer: sha256:ac9208207adaac3a48e54a4dc6b49c69e78c3072d2b3add7efdabf814db2133b
2021/04/19 17:24:50 warn rootless{usr/bin/ping} ignoring (usually) harmless EPERM on setxattr "security.capability"
2021/04/19 17:24:51 warn rootless{usr/sbin/arping} ignoring (usually) harmless EPERM on setxattr "security.capability"
2021/04/19 17:24:51 warn rootless{usr/sbin/clockdiff} ignoring (usually) harmless EPERM on setxattr "security.capability"
WARNING: Permission handling has changed in Singularity 3.5 for improved OCI compatibility
WARNING: The sandbox will contain files/dirs that cannot be removed until permissions are modified
WARNING: Use 'chmod -R u+rwX' to set permissions that allow removal
WARNING: Use the '--fix-perms' option to 'singularity build' to modify permissions at build time
WARNING: You can provide feedback about this change at https://github.com/sylabs/singularity/issues/4671
INFO: Creating sandbox directory...
INFO: Build complete: centos76
同樣的也會在當前路徑下生成一個系統文件夾:
[dechin@dechin-manjaro singularity]$ ll
總用量 8
drwxr-xr-x 17 dechin dechin 4096 4月 19 17:24 centos76
drwxr-xr-x 18 dechin dechin 4096 4月 19 16:30 ubuntu
我們也可以進入到沙箱中查看系統的版本:
[dechin@dechin-manjaro singularity]$ singularity shell -w centos76
Singularity> cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
打包鏡像文件
這里我們以ubuntu鏡像為例,在拉取了ubuntu的鏡像作為沙箱,並且修改完相應的配置之后,可以運行如下指令來打包鏡像文件:
$ sudo singularity build ubuntu.sif ubuntu/
[sudo] dechin 的密碼:
INFO: Starting build...
INFO: Creating SIF file...
INFO: Build complete: ubuntu.sif
打包完成后,拉起容器的方式就不再是通過文件夾的名字來拉起,而是通過鏡像名來拉起:
$ singularity shell ubuntu.sif
Singularity> cat /etc/issue
Ubuntu 20.04.2 LTS \n \l
Singularity> exit
exit
這樣,我們就可以很方便的制作了一個可移動式的Ubuntu系統。
獲取MindSpore的Docker鏡像
文章開頭說道Singularity是兼容Docker容器的鏡像的,剛好最近在測試華為MindSpore框架的GPU版本,而我們在DockerHub上又發現了MindSpore的官方鏡像的最新1.2.0版本,那么我們就可以通過singularity pull的指令直接從遠程倉庫創建一個本地的sif鏡像文件(這種方法跟上面的沙箱制作鏡像的方法有所區別,流程更簡單但是修改就比較麻煩):
[dechin@dechin-manjaro ~]$ singularity pull docker://mindspore/mindspore-gpu:1.2.0
INFO: Converting OCI blobs to SIF format
WARNING: 'nodev' mount option set on /tmp, it could be a source of failure during build process
INFO: Starting build...
Getting image source signatures
Copying blob 48c41c211021 done
Copying config c3868774fb done
Writing manifest to image destination
Storing signatures
2021/05/29 10:20:52 info unpack layer: sha256:5353957e2ca61685e6024b440372c34e3b9e1d27ab564a9c8330e9ab8350894a
2021/05/29 10:21:33 warn xattr{/tmp/build-temp-665547475/rootfs/etc/gshadow} destination filesystem does not support xattrs, further warnings will be suppressed
2021/05/29 10:21:42 info unpack layer: sha256:bc3e02707e81c51c3b6cede72d41fdaaa153bc3bf4cb6c2ef053376d47f473aa
INFO: Creating SIF file...
等待一段時間后,運行完成,可以在當前路徑下查看到一個sif文件:
[dechin@dechin-manjaro ~]$ ll | grep mindspore
-rwxr-xr-x 1 dechin dechin 2382344192 5月 29 10:23 mindspore-gpu_1.2.0.sif
修改sif鏡像文件
假如我們是一個非root的身份,並且沒有sudo權限,那么我們只能通過--writable-tmpfs這種方法來修改sif鏡像文件的內容,比如這里我們嘗試在sif文件中安裝一個numba的python庫:
dechin@ubuntu2004:~/projects/numba-gpu$ singularity shell --nv --writable-tmpfs /home/dechin/tools/singularity/mindspore-gpu_1.2.0.sif
Singularity> python -m pip show numba
Singularity>
上面的指令中有一個額外的--nv的字段,這個字段是用於打開CUDA的支持的,在GPU場景下會使用到。而我們在pip show中現在是沒有看到numba這個庫的,我們直接在容器的shell中運行安裝指令(需要加上--user選項,否則無法安裝成功):
Singularity> python -m pip install numba --user
Collecting numba
Requirement already satisfied: setuptools in /usr/local/python-3.7.5/lib/python3.7/site-packages (from numba) (41.2.0)
Collecting llvmlite<0.37,>=0.36.0rc1 (from numba)
Using cached https://files.pythonhosted.org/packages/54/25/2b4015e2b0c3be2efa6870cf2cf2bd969dd0e5f937476fc13c102209df32/llvmlite-0.36.0-cp37-cp37m-manylinux2010_x86_64.whl
Requirement already satisfied: numpy>=1.15 in /usr/local/python-3.7.5/lib/python3.7/site-packages (from numba) (1.20.2)
Installing collected packages: llvmlite, numba
Successfully installed llvmlite-0.36.0 numba-0.53.1
到這里我們還沒退出當前shell,那么numba是已經安裝成功了,可以用一個numba的GPU示例測試一下:
# test-numba-gpu.py
from numba import cuda
def cpu_print(N):
for i in range(0, N):
print(i)
@cuda.jit
def gpu_print(N):
idx = cuda.threadIdx.x + cuda.blockIdx.x * cuda.blockDim.x
if (idx < N):
print(idx)
def main():
print("gpu print:")
gpu_print[2,4](8)
cuda.synchronize()
print("cpu print:")
cpu_print(8)
if __name__ == "__main__":
main()
運行結果如下所示:
Singularity> python test-numba-gpu.py
gpu print:
0
1
2
3
4
5
6
7
cpu print:
0
1
2
3
4
5
6
7
Singularity> exit
exit
那么我們現在退出這個sif的shell,再重新拉起(這次沒有添加可修改字段):
dechin@ubuntu2004:~/projects/numba-gpu$ singularity shell --nv /home/dechin/tools/singularity/mindspore-gpu_1.2.0.sif
Singularity> python -m pip show numba
Name: numba
Version: 0.53.1
Summary: compiling Python code using LLVM
Home-page: https://numba.pydata.org
Author: Anaconda, Inc.
Author-email: numba-users@continuum.io
License: BSD
Location: /home/dechin/.local/lib/python3.7/site-packages
Requires: llvmlite, setuptools, numpy
Required-by:
Singularity> exit
exit
而我們現在在sif鏡像文件中是可以看到剛才新安裝的numba庫的,說明剛才的修改被保存了下來。
總結概要
這篇文章主要介紹Singularity容器在Manjaro平台的安裝,以及一些常見的使用場景:拉取沙箱制作容器鏡像、遠程制作容器鏡像以及修改容器鏡像的方法。總體而言Singularity是一個對非root用戶非常友好的容器解決方案,在速度上沒有實際測試過,只是在一些場景下可以看到比Docker性能要好一些。而且這個容器還支持非root的安裝以及非root的使用方法,當然在基於RH的系統下有一些默認的配置項還是需要用root權限去修改后,才能夠用非root的賬戶使用Singularity容器,最典型的就比如要將/proc/sys/user/max_user_namespaces這里面的對應參數配置為非零,否則使用會報錯。
版權聲明
本文首發鏈接為:https://www.cnblogs.com/dechinphy/p/sg.html
作者ID:DechinPhy
更多原著文章請參考:https://www.cnblogs.com/dechinphy/
打賞專用鏈接:https://www.cnblogs.com/dechinphy/gallery/image/379634.html