技术背景
容器化技术在各种生产领域已经得到了广泛的应用,这得益于容器的轻量化(相比于虚拟机而言),安全性(隔离弱于虚拟机,但是权限控制得当的情况下也可以认为是安全隔离的)以及系统级虚拟化带来的高可用性(基于NameSpace和cgroup)。虽然现在各大平台的兼容性有趋同的势头,比如Windows推出了WSL子系统,使得用户在Windows机器上也可以很轻松的搭建Linux环境。但是容器依然保持着它的热度,这说明它的可用性并不是一个系统组件就可以替代的。前面几篇文章中我们介绍过Docker容器和Singularity容器的用法,这里我们再讲讲Singularity容器的非源码安装方法(Manjaro Linux平台),以及修改静态容器镜像文件的方法。
非源码安装Singularity
Arch Linux平台总是能有一些比较快速的更新,当前CentOS和Manjaro都已经支持了Singularity容器的直接安装,而Ubuntu目前是还不支持这种方式的,只能采取源码安装。这里介绍Manjaro Linux平台下的安装方案,只需要一行命令:
[dechin-root sgcontainer]# pacman -S singularity-container
正在解析依赖关系...
正在查找软件包冲突...
软件包 (1) singularity-container-3.7.2-2
下载大小: 16.85 MiB
全部安装大小: 107.35 MiB
:: 进行安装吗? [Y/n] Y
:: 正在获取软件包......
singularity-cont... 16.8 MiB 6.61 MiB/s 00:03 [##################] 100%
(1/1) 正在检查密钥环里的密钥 [##################] 100%
(1/1) 正在检查软件包完整性 [##################] 100%
(1/1) 正在加载软件包文件 [##################] 100%
(1/1) 正在检查文件冲突 [##################] 100%
(1/1) 正在检查可用存储空间 [##################] 100%
:: 正在处理软件包的变化...
(1/1) 正在安装 singularity-container [##################] 100%
:: 正在运行事务后钩子函数...
(1/1) Arming ConditionNeedsUpdate...
安装完成后,可以验证一下Singularity的版本:
[dechin-root sgcontainer]# singularity --version
singularity version 3.7.2
这里的3.7.2已经是比较早期的版本了,现在都已经推出了3.8的版本。目前Singularity基本保持半个月一个版本的更新速度,很多CVE基本可以较快的解决,这一点非常重要。关于Singularity的总体用法可以参考这个官方的帮助手册:
[dechin@dechin-manjaro sgcontainer]$ singularity --help
Linux container platform optimized for High Performance Computing (HPC) and
Enterprise Performance Computing (EPC)
Usage:
singularity [global options...]
Description:
Singularity containers provide an application virtualization layer enabling
mobility of compute via both application and environment portability. With
Singularity one is capable of building a root file system that runs on any
other Linux system where Singularity is installed.
Options:
-c, --config string specify a configuration file (for root or
unprivileged installation only) (default
"/etc/singularity/singularity.conf")
-d, --debug print debugging information (highest verbosity)
-h, --help help for singularity
--nocolor print without color output (default False)
-q, --quiet suppress normal output
-s, --silent only print errors
-v, --verbose print additional information
--version version for singularity
Available Commands:
build Build a Singularity image
cache Manage the local cache
capability Manage Linux capabilities for users and groups
config Manage various singularity configuration (root user only)
delete Deletes requested image from the library
exec Run a command within a container
help Help about any command
inspect Show metadata for an image
instance Manage containers running as services
key Manage OpenPGP keys
oci Manage OCI containers
plugin Manage Singularity plugins
pull Pull an image from a URI
push Upload image to the provided URI
remote Manage singularity remote endpoints, keyservers and OCI/Docker registry credentials
run Run the user-defined default command within a container
run-help Show the user-defined help for an image
search Search a Container Library for images
shell Run a shell within a container
sif siftool is a program for Singularity Image Format (SIF) file manipulation
sign Attach digital signature(s) to an image
test Run the user-defined tests within a container
verify Verify cryptographic signatures attached to an image
version Show the version for Singularity
Examples:
$ singularity help <command> [<subcommand>]
$ singularity help build
$ singularity help instance start
For additional help or support, please visit https://www.sylabs.io/docs/
默认的安装路径会在/etc/singularity下生成一系列的配置文件,如果是手动编译安装,采用unpriv模式安装的话可以配置其他的路径(这一点很重要,在没有root权限的账号下安装和使用容器的情况下肯定用得到)。
[dechin-manjaro sgcontainer]# ll /etc/singularity/
总用量 40
-rw-r--r-- 1 root root 0 3月 11 13:45 capability.json
drwxr-xr-x 2 root root 4096 4月 4 21:48 cgroups
-rw-r--r-- 1 root root 1095 3月 11 13:45 ecl.toml
-rw-r--r-- 1 root root 0 3月 11 13:45 global-pgp-public
drwxr-xr-x 2 root root 4096 4月 4 21:48 network
-rw-r--r-- 1 root root 1344 3月 11 13:45 nvliblist.conf
-rw-r--r-- 1 root root 107 3月 11 13:45 remote.yaml
-rw-r--r-- 1 root root 927 3月 11 13:45 rocmliblist.conf
drwxr-xr-x 2 root root 4096 4月 4 21:48 seccomp-profiles
-rw-r--r-- 1 root root 10642 3月 11 13:45 singularity.conf
从dockerhub拉取ubuntu镜像
首先我们可以在拉取的路径前加上docker
的标识符,使得我们可以从dockerhub上面下载相关的镜像,对与docker镜像的支持,也是Singularity容器的一大优势:
[dechin@dechin-manjaro singularity]$ singularity build --sandbox ubuntu docker://ubuntu
WARNING: 'nodev' mount option set on /tmp, it could be a source of failure during build process
INFO: Starting build...
Getting image source signatures
Copying blob a70d879fa598 done
Copying blob c4394a92d1f8 done
Copying blob 10e6159c56c0 done
Copying config 10bdc2317d done
Writing manifest to image destination
Storing signatures
2021/04/19 16:30:28 info unpack layer: sha256:a70d879fa5984474288d52009479054b8bb2993de2a1859f43b5480600cecb24
2021/04/19 16:30:29 info unpack layer: sha256:c4394a92d1f8760cf7d17fee0bcee732c94c5b858dd8d19c7ff02beecf3b4e83
2021/04/19 16:30:29 info unpack layer: sha256:10e6159c56c084c858f5de2416454ac0a49ddda47b764e4379c5d5a147c9bf5f
INFO: Creating sandbox directory...
INFO: Build complete: ubuntu
如果是使用build
模式,会在当前路径下生成一个刚才命名好的文件夹,这个文件夹中包含所有系统虚拟化所需要的文件:
[dechin@dechin-manjaro singularity]$ ll
总用量 4
drwxr-xr-x 18 dechin dechin 4096 4月 19 16:30 ubuntu
我们可以直接在这个路径下拉起刚才生成的目录,将其作为一个系统镜像来使用:
[dechin@dechin-manjaro singularity]$ singularity shell -w ubuntu
WARNING: Skipping mount /etc/localtime [binds]: /etc/localtime doesn't exist in container
Singularity> cp -a /etc/apt/sources.list /etc/apt/sources.list.bak
Singularity> sed -i "s@http://.*archive.ubuntu.com@http://repo.huaweicloud.com@g" /etc/apt/sources.list
Singularity> sed -i "s@http://.*security.ubuntu.com@http://repo.huaweicloud.com@g" /etc/apt/sources.list
Singularity> apt-get update
Get:1 http://repo.huaweicloud.com/ubuntu focal InRelease [265 kB]
Get:2 http://repo.huaweicloud.com/ubuntu focal-updates InRelease [114 kB]
Get:3 http://repo.huaweicloud.com/ubuntu focal-backports InRelease [101 kB]
Get:4 http://repo.huaweicloud.com/ubuntu focal-security InRelease [109 kB]
Get:5 http://repo.huaweicloud.com/ubuntu focal/restricted amd64 Packages [33.4 kB]
Get:6 http://repo.huaweicloud.com/ubuntu focal/universe amd64 Packages [11.3 MB]
Get:7 http://repo.huaweicloud.com/ubuntu focal/multiverse amd64 Packages [177 kB]
Get:8 http://repo.huaweicloud.com/ubuntu focal/main amd64 Packages [1275 kB]
Get:9 http://repo.huaweicloud.com/ubuntu focal-updates/restricted amd64 Packages [271 kB]
Get:10 http://repo.huaweicloud.com/ubuntu focal-updates/multiverse amd64 Packages [29.6 kB]
Get:11 http://repo.huaweicloud.com/ubuntu focal-updates/universe amd64 Packages [950 kB]
Get:11 http://repo.huaweicloud.com/ubuntu focal-updates/universe amd64 Packages [950 kB]
Get:13 http://repo.huaweicloud.com/ubuntu focal-backports/universe amd64 Packages [4305 B]
Get:14 http://repo.huaweicloud.com/ubuntu focal-security/main amd64 Packages [773 kB]
Get:15 http://repo.huaweicloud.com/ubuntu focal-security/universe amd64 Packages [683 kB]
Get:16 http://repo.huaweicloud.com/ubuntu focal-security/restricted amd64 Packages [239 kB]
Get:17 http://repo.huaweicloud.com/ubuntu focal-security/multiverse amd64 Packages [21.6 kB]
Fetched 3260 kB in 2s (1626 kB/s)
Reading package lists... Done
这里加上-w
的目的是为了在这些文件沙箱中保持修改的配置和内容,因为比较正规的使用方法是将这个文件沙箱制作成一个sif的镜像文件后来使用,所以这一步相当于还是在为制作本地定制化的镜像做准备。此时我们进入容器的shell之后,可以查看当前的系统版本:
Singularity> cat /etc/issue
Ubuntu 20.04.2 LTS \n \l
我们发现拉取容器时默认从库上拉取了最新的Ubuntu 20.04的版本。
从dockerhub拉取centos镜像
类似的方法,我们可以从dockerhub上拉取一个centos的镜像:
[dechin@dechin-manjaro singularity]$ singularity build --sandbox centos76 docker://centos:7.6.1810
WARNING: 'nodev' mount option set on /tmp, it could be a source of failure during build process
INFO: Starting build...
Getting image source signatures
Copying blob ac9208207ada done
Copying config 5f85193732 done
Writing manifest to image destination
Storing signatures
2021/04/19 17:24:49 info unpack layer: sha256:ac9208207adaac3a48e54a4dc6b49c69e78c3072d2b3add7efdabf814db2133b
2021/04/19 17:24:50 warn rootless{usr/bin/ping} ignoring (usually) harmless EPERM on setxattr "security.capability"
2021/04/19 17:24:51 warn rootless{usr/sbin/arping} ignoring (usually) harmless EPERM on setxattr "security.capability"
2021/04/19 17:24:51 warn rootless{usr/sbin/clockdiff} ignoring (usually) harmless EPERM on setxattr "security.capability"
WARNING: Permission handling has changed in Singularity 3.5 for improved OCI compatibility
WARNING: The sandbox will contain files/dirs that cannot be removed until permissions are modified
WARNING: Use 'chmod -R u+rwX' to set permissions that allow removal
WARNING: Use the '--fix-perms' option to 'singularity build' to modify permissions at build time
WARNING: You can provide feedback about this change at https://github.com/sylabs/singularity/issues/4671
INFO: Creating sandbox directory...
INFO: Build complete: centos76
同样的也会在当前路径下生成一个系统文件夹:
[dechin@dechin-manjaro singularity]$ ll
总用量 8
drwxr-xr-x 17 dechin dechin 4096 4月 19 17:24 centos76
drwxr-xr-x 18 dechin dechin 4096 4月 19 16:30 ubuntu
我们也可以进入到沙箱中查看系统的版本:
[dechin@dechin-manjaro singularity]$ singularity shell -w centos76
Singularity> cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
打包镜像文件
这里我们以ubuntu镜像为例,在拉取了ubuntu的镜像作为沙箱,并且修改完相应的配置之后,可以运行如下指令来打包镜像文件:
$ sudo singularity build ubuntu.sif ubuntu/
[sudo] dechin 的密码:
INFO: Starting build...
INFO: Creating SIF file...
INFO: Build complete: ubuntu.sif
打包完成后,拉起容器的方式就不再是通过文件夹的名字来拉起,而是通过镜像名来拉起:
$ singularity shell ubuntu.sif
Singularity> cat /etc/issue
Ubuntu 20.04.2 LTS \n \l
Singularity> exit
exit
这样,我们就可以很方便的制作了一个可移动式的Ubuntu
系统。
获取MindSpore的Docker镜像
文章开头说道Singularity是兼容Docker容器的镜像的,刚好最近在测试华为MindSpore框架的GPU版本,而我们在DockerHub上又发现了MindSpore的官方镜像的最新1.2.0版本,那么我们就可以通过singularity pull
的指令直接从远程仓库创建一个本地的sif镜像文件(这种方法跟上面的沙箱制作镜像的方法有所区别,流程更简单但是修改就比较麻烦):
[dechin@dechin-manjaro ~]$ singularity pull docker://mindspore/mindspore-gpu:1.2.0
INFO: Converting OCI blobs to SIF format
WARNING: 'nodev' mount option set on /tmp, it could be a source of failure during build process
INFO: Starting build...
Getting image source signatures
Copying blob 48c41c211021 done
Copying config c3868774fb done
Writing manifest to image destination
Storing signatures
2021/05/29 10:20:52 info unpack layer: sha256:5353957e2ca61685e6024b440372c34e3b9e1d27ab564a9c8330e9ab8350894a
2021/05/29 10:21:33 warn xattr{/tmp/build-temp-665547475/rootfs/etc/gshadow} destination filesystem does not support xattrs, further warnings will be suppressed
2021/05/29 10:21:42 info unpack layer: sha256:bc3e02707e81c51c3b6cede72d41fdaaa153bc3bf4cb6c2ef053376d47f473aa
INFO: Creating SIF file...
等待一段时间后,运行完成,可以在当前路径下查看到一个sif文件:
[dechin@dechin-manjaro ~]$ ll | grep mindspore
-rwxr-xr-x 1 dechin dechin 2382344192 5月 29 10:23 mindspore-gpu_1.2.0.sif
修改sif镜像文件
假如我们是一个非root的身份,并且没有sudo权限,那么我们只能通过--writable-tmpfs
这种方法来修改sif镜像文件的内容,比如这里我们尝试在sif文件中安装一个numba
的python库:
dechin@ubuntu2004:~/projects/numba-gpu$ singularity shell --nv --writable-tmpfs /home/dechin/tools/singularity/mindspore-gpu_1.2.0.sif
Singularity> python -m pip show numba
Singularity>
上面的指令中有一个额外的--nv
的字段,这个字段是用于打开CUDA的支持的,在GPU场景下会使用到。而我们在pip show
中现在是没有看到numba这个库的,我们直接在容器的shell中运行安装指令(需要加上--user选项,否则无法安装成功):
Singularity> python -m pip install numba --user
Collecting numba
Requirement already satisfied: setuptools in /usr/local/python-3.7.5/lib/python3.7/site-packages (from numba) (41.2.0)
Collecting llvmlite<0.37,>=0.36.0rc1 (from numba)
Using cached https://files.pythonhosted.org/packages/54/25/2b4015e2b0c3be2efa6870cf2cf2bd969dd0e5f937476fc13c102209df32/llvmlite-0.36.0-cp37-cp37m-manylinux2010_x86_64.whl
Requirement already satisfied: numpy>=1.15 in /usr/local/python-3.7.5/lib/python3.7/site-packages (from numba) (1.20.2)
Installing collected packages: llvmlite, numba
Successfully installed llvmlite-0.36.0 numba-0.53.1
到这里我们还没退出当前shell,那么numba是已经安装成功了,可以用一个numba的GPU示例测试一下:
# test-numba-gpu.py
from numba import cuda
def cpu_print(N):
for i in range(0, N):
print(i)
@cuda.jit
def gpu_print(N):
idx = cuda.threadIdx.x + cuda.blockIdx.x * cuda.blockDim.x
if (idx < N):
print(idx)
def main():
print("gpu print:")
gpu_print[2,4](8)
cuda.synchronize()
print("cpu print:")
cpu_print(8)
if __name__ == "__main__":
main()
运行结果如下所示:
Singularity> python test-numba-gpu.py
gpu print:
0
1
2
3
4
5
6
7
cpu print:
0
1
2
3
4
5
6
7
Singularity> exit
exit
那么我们现在退出这个sif的shell,再重新拉起(这次没有添加可修改字段):
dechin@ubuntu2004:~/projects/numba-gpu$ singularity shell --nv /home/dechin/tools/singularity/mindspore-gpu_1.2.0.sif
Singularity> python -m pip show numba
Name: numba
Version: 0.53.1
Summary: compiling Python code using LLVM
Home-page: https://numba.pydata.org
Author: Anaconda, Inc.
Author-email: numba-users@continuum.io
License: BSD
Location: /home/dechin/.local/lib/python3.7/site-packages
Requires: llvmlite, setuptools, numpy
Required-by:
Singularity> exit
exit
而我们现在在sif镜像文件中是可以看到刚才新安装的numba库的,说明刚才的修改被保存了下来。
总结概要
这篇文章主要介绍Singularity容器在Manjaro平台的安装,以及一些常见的使用场景:拉取沙箱制作容器镜像、远程制作容器镜像以及修改容器镜像的方法。总体而言Singularity是一个对非root用户非常友好的容器解决方案,在速度上没有实际测试过,只是在一些场景下可以看到比Docker性能要好一些。而且这个容器还支持非root的安装以及非root的使用方法,当然在基于RH的系统下有一些默认的配置项还是需要用root权限去修改后,才能够用非root的账户使用Singularity容器,最典型的就比如要将/proc/sys/user/max_user_namespaces
这里面的对应参数配置为非零,否则使用会报错。
版权声明
本文首发链接为:https://www.cnblogs.com/dechinphy/p/sg.html
作者ID:DechinPhy
更多原著文章请参考:https://www.cnblogs.com/dechinphy/
打赏专用链接:https://www.cnblogs.com/dechinphy/gallery/image/379634.html