技術背景
容器化技術在各種生產領域已經得到了廣泛的應用,這得益於容器的輕量化(相比於虛擬機器而言),安全性(隔離弱於虛擬機器,但是許可權控制得當的情況下也可以認為是安全隔離的)以及系統級虛擬化帶來的高可用性(基於NameSpace和cgroup)。雖然現在各大平臺的相容性有趨同的勢頭,比如Windows推出了WSL子系統,使得使用者在Windows機器上也可以很輕鬆的搭建Linux環境。但是容器依然保持著它的熱度,這說明它的可用性並不是一個系統元件就可以替代的。前面幾篇文章中我們介紹過Docker容器和Singularity容器的用法,這裡我們再講講Singularity容器的非原始碼安裝方法(Manjaro Linux平臺),以及修改靜態容器映象檔案的方法。
非原始碼安裝Singularity
Arch Linux平臺總是能有一些比較快速的更新,當前CentOS和Manjaro都已經支援了Singularity容器的直接安裝,而Ubuntu目前是還不支援這種方式的,只能採取原始碼安裝。這裡介紹Manjaro Linux平臺下的安裝方案,只需要一行命令:
[dechin-root sgcontainer]# pacman -S singularity-container
正在解析依賴關係...
正在查詢軟體包衝突...
軟體包 (1) singularity-container-3.7.2-2
下載大小: 16.85 MiB
全部安裝大小: 107.35 MiB
:: 進行安裝嗎? [Y/n] Y
:: 正在獲取軟體包......
singularity-cont... 16.8 MiB 6.61 MiB/s 00:03 [##################] 100%
(1/1) 正在檢查金鑰環裡的金鑰 [##################] 100%
(1/1) 正在檢查軟體包完整性 [##################] 100%
(1/1) 正在載入軟體包檔案 [##################] 100%
(1/1) 正在檢查檔案衝突 [##################] 100%
(1/1) 正在檢查可用儲存空間 [##################] 100%
:: 正在處理軟體包的變化...
(1/1) 正在安裝 singularity-container [##################] 100%
:: 正在執行事務後鉤子函式...
(1/1) Arming ConditionNeedsUpdate...
安裝完成後,可以驗證一下Singularity的版本:
[dechin-root sgcontainer]# singularity --version
singularity version 3.7.2
這裡的3.7.2已經是比較早期的版本了,現在都已經推出了3.8的版本。目前Singularity基本保持半個月一個版本的更新速度,很多CVE基本可以較快的解決,這一點非常重要。關於Singularity的總體用法可以參考這個官方的幫助手冊:
[dechin@dechin-manjaro sgcontainer]$ singularity --help
Linux container platform optimized for High Performance Computing (HPC) and
Enterprise Performance Computing (EPC)
Usage:
singularity [global options...]
Description:
Singularity containers provide an application virtualization layer enabling
mobility of compute via both application and environment portability. With
Singularity one is capable of building a root file system that runs on any
other Linux system where Singularity is installed.
Options:
-c, --config string specify a configuration file (for root or
unprivileged installation only) (default
"/etc/singularity/singularity.conf")
-d, --debug print debugging information (highest verbosity)
-h, --help help for singularity
--nocolor print without color output (default False)
-q, --quiet suppress normal output
-s, --silent only print errors
-v, --verbose print additional information
--version version for singularity
Available Commands:
build Build a Singularity image
cache Manage the local cache
capability Manage Linux capabilities for users and groups
config Manage various singularity configuration (root user only)
delete Deletes requested image from the library
exec Run a command within a container
help Help about any command
inspect Show metadata for an image
instance Manage containers running as services
key Manage OpenPGP keys
oci Manage OCI containers
plugin Manage Singularity plugins
pull Pull an image from a URI
push Upload image to the provided URI
remote Manage singularity remote endpoints, keyservers and OCI/Docker registry credentials
run Run the user-defined default command within a container
run-help Show the user-defined help for an image
search Search a Container Library for images
shell Run a shell within a container
sif siftool is a program for Singularity Image Format (SIF) file manipulation
sign Attach digital signature(s) to an image
test Run the user-defined tests within a container
verify Verify cryptographic signatures attached to an image
version Show the version for Singularity
Examples:
$ singularity help <command> [<subcommand>]
$ singularity help build
$ singularity help instance start
For additional help or support, please visit https://www.sylabs.io/docs/
預設的安裝路徑會在/etc/singularity下生成一系列的配置檔案,如果是手動編譯安裝,採用unpriv模式安裝的話可以配置其他的路徑(這一點很重要,在沒有root許可權的賬號下安裝和使用容器的情況下肯定用得到)。
[dechin-manjaro sgcontainer]# ll /etc/singularity/
總用量 40
-rw-r--r-- 1 root root 0 3月 11 13:45 capability.json
drwxr-xr-x 2 root root 4096 4月 4 21:48 cgroups
-rw-r--r-- 1 root root 1095 3月 11 13:45 ecl.toml
-rw-r--r-- 1 root root 0 3月 11 13:45 global-pgp-public
drwxr-xr-x 2 root root 4096 4月 4 21:48 network
-rw-r--r-- 1 root root 1344 3月 11 13:45 nvliblist.conf
-rw-r--r-- 1 root root 107 3月 11 13:45 remote.yaml
-rw-r--r-- 1 root root 927 3月 11 13:45 rocmliblist.conf
drwxr-xr-x 2 root root 4096 4月 4 21:48 seccomp-profiles
-rw-r--r-- 1 root root 10642 3月 11 13:45 singularity.conf
從dockerhub拉取ubuntu映象
首先我們可以在拉取的路徑前加上docker的識別符號,使得我們可以從dockerhub上面下載相關的映象,對與docker映象的支援,也是Singularity容器的一大優勢:
[dechin@dechin-manjaro singularity]$ singularity build --sandbox ubuntu docker://ubuntu
WARNING: 'nodev' mount option set on /tmp, it could be a source of failure during build process
INFO: Starting build...
Getting image source signatures
Copying blob a70d879fa598 done
Copying blob c4394a92d1f8 done
Copying blob 10e6159c56c0 done
Copying config 10bdc2317d done
Writing manifest to image destination
Storing signatures
2021/04/19 16:30:28 info unpack layer: sha256:a70d879fa5984474288d52009479054b8bb2993de2a1859f43b5480600cecb24
2021/04/19 16:30:29 info unpack layer: sha256:c4394a92d1f8760cf7d17fee0bcee732c94c5b858dd8d19c7ff02beecf3b4e83
2021/04/19 16:30:29 info unpack layer: sha256:10e6159c56c084c858f5de2416454ac0a49ddda47b764e4379c5d5a147c9bf5f
INFO: Creating sandbox directory...
INFO: Build complete: ubuntu
如果是使用build模式,會在當前路徑下生成一個剛才命名好的資料夾,這個資料夾中包含所有系統虛擬化所需要的檔案:
[dechin@dechin-manjaro singularity]$ ll
總用量 4
drwxr-xr-x 18 dechin dechin 4096 4月 19 16:30 ubuntu
我們可以直接在這個路徑下拉起剛才生成的目錄,將其作為一個系統映象來使用:
[dechin@dechin-manjaro singularity]$ singularity shell -w ubuntu
WARNING: Skipping mount /etc/localtime [binds]: /etc/localtime doesn't exist in container
Singularity> cp -a /etc/apt/sources.list /etc/apt/sources.list.bak
Singularity> sed -i "s@http://.*archive.ubuntu.com@http://repo.huaweicloud.com@g" /etc/apt/sources.list
Singularity> sed -i "s@http://.*security.ubuntu.com@http://repo.huaweicloud.com@g" /etc/apt/sources.list
Singularity> apt-get update
Get:1 http://repo.huaweicloud.com/ubuntu focal InRelease [265 kB]
Get:2 http://repo.huaweicloud.com/ubuntu focal-updates InRelease [114 kB]
Get:3 http://repo.huaweicloud.com/ubuntu focal-backports InRelease [101 kB]
Get:4 http://repo.huaweicloud.com/ubuntu focal-security InRelease [109 kB]
Get:5 http://repo.huaweicloud.com/ubuntu focal/restricted amd64 Packages [33.4 kB]
Get:6 http://repo.huaweicloud.com/ubuntu focal/universe amd64 Packages [11.3 MB]
Get:7 http://repo.huaweicloud.com/ubuntu focal/multiverse amd64 Packages [177 kB]
Get:8 http://repo.huaweicloud.com/ubuntu focal/main amd64 Packages [1275 kB]
Get:9 http://repo.huaweicloud.com/ubuntu focal-updates/restricted amd64 Packages [271 kB]
Get:10 http://repo.huaweicloud.com/ubuntu focal-updates/multiverse amd64 Packages [29.6 kB]
Get:11 http://repo.huaweicloud.com/ubuntu focal-updates/universe amd64 Packages [950 kB]
Get:11 http://repo.huaweicloud.com/ubuntu focal-updates/universe amd64 Packages [950 kB]
Get:13 http://repo.huaweicloud.com/ubuntu focal-backports/universe amd64 Packages [4305 B]
Get:14 http://repo.huaweicloud.com/ubuntu focal-security/main amd64 Packages [773 kB]
Get:15 http://repo.huaweicloud.com/ubuntu focal-security/universe amd64 Packages [683 kB]
Get:16 http://repo.huaweicloud.com/ubuntu focal-security/restricted amd64 Packages [239 kB]
Get:17 http://repo.huaweicloud.com/ubuntu focal-security/multiverse amd64 Packages [21.6 kB]
Fetched 3260 kB in 2s (1626 kB/s)
Reading package lists... Done
這裡加上-w的目的是為了在這些檔案沙箱中保持修改的配置和內容,因為比較正規的使用方法是將這個檔案沙箱製作成一個sif的映象檔案後來使用,所以這一步相當於還是在為製作本地定製化的映象做準備。此時我們進入容器的shell之後,可以檢視當前的系統版本:
Singularity> cat /etc/issue
Ubuntu 20.04.2 LTS \n \l
我們發現拉取容器時預設從庫上拉取了最新的Ubuntu 20.04的版本。
從dockerhub拉取centos映象
類似的方法,我們可以從dockerhub上拉取一個centos的映象:
[dechin@dechin-manjaro singularity]$ singularity build --sandbox centos76 docker://centos:7.6.1810
WARNING: 'nodev' mount option set on /tmp, it could be a source of failure during build process
INFO: Starting build...
Getting image source signatures
Copying blob ac9208207ada done
Copying config 5f85193732 done
Writing manifest to image destination
Storing signatures
2021/04/19 17:24:49 info unpack layer: sha256:ac9208207adaac3a48e54a4dc6b49c69e78c3072d2b3add7efdabf814db2133b
2021/04/19 17:24:50 warn rootless{usr/bin/ping} ignoring (usually) harmless EPERM on setxattr "security.capability"
2021/04/19 17:24:51 warn rootless{usr/sbin/arping} ignoring (usually) harmless EPERM on setxattr "security.capability"
2021/04/19 17:24:51 warn rootless{usr/sbin/clockdiff} ignoring (usually) harmless EPERM on setxattr "security.capability"
WARNING: Permission handling has changed in Singularity 3.5 for improved OCI compatibility
WARNING: The sandbox will contain files/dirs that cannot be removed until permissions are modified
WARNING: Use 'chmod -R u+rwX' to set permissions that allow removal
WARNING: Use the '--fix-perms' option to 'singularity build' to modify permissions at build time
WARNING: You can provide feedback about this change at https://github.com/sylabs/singularity/issues/4671
INFO: Creating sandbox directory...
INFO: Build complete: centos76
同樣的也會在當前路徑下生成一個系統資料夾:
[dechin@dechin-manjaro singularity]$ ll
總用量 8
drwxr-xr-x 17 dechin dechin 4096 4月 19 17:24 centos76
drwxr-xr-x 18 dechin dechin 4096 4月 19 16:30 ubuntu
我們也可以進入到沙箱中檢視系統的版本:
[dechin@dechin-manjaro singularity]$ singularity shell -w centos76
Singularity> cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
打包映象檔案
這裡我們以ubuntu映象為例,在拉取了ubuntu的映象作為沙箱,並且修改完相應的配置之後,可以執行如下指令來打包映象檔案:
$ sudo singularity build ubuntu.sif ubuntu/
[sudo] dechin 的密碼:
INFO: Starting build...
INFO: Creating SIF file...
INFO: Build complete: ubuntu.sif
打包完成後,拉起容器的方式就不再是通過資料夾的名字來拉起,而是通過映象名來拉起:
$ singularity shell ubuntu.sif
Singularity> cat /etc/issue
Ubuntu 20.04.2 LTS \n \l
Singularity> exit
exit
這樣,我們就可以很方便的製作了一個可移動式的Ubuntu系統。
獲取MindSpore的Docker映象
文章開頭說道Singularity是相容Docker容器的映象的,剛好最近在測試華為MindSpore框架的GPU版本,而我們在DockerHub上又發現了MindSpore的官方映象的最新1.2.0版本,那麼我們就可以通過singularity pull的指令直接從遠端倉庫建立一個本地的sif映象檔案(這種方法跟上面的沙箱製作映象的方法有所區別,流程更簡單但是修改就比較麻煩):
[dechin@dechin-manjaro ~]$ singularity pull docker://mindspore/mindspore-gpu:1.2.0
INFO: Converting OCI blobs to SIF format
WARNING: 'nodev' mount option set on /tmp, it could be a source of failure during build process
INFO: Starting build...
Getting image source signatures
Copying blob 48c41c211021 done
Copying config c3868774fb done
Writing manifest to image destination
Storing signatures
2021/05/29 10:20:52 info unpack layer: sha256:5353957e2ca61685e6024b440372c34e3b9e1d27ab564a9c8330e9ab8350894a
2021/05/29 10:21:33 warn xattr{/tmp/build-temp-665547475/rootfs/etc/gshadow} destination filesystem does not support xattrs, further warnings will be suppressed
2021/05/29 10:21:42 info unpack layer: sha256:bc3e02707e81c51c3b6cede72d41fdaaa153bc3bf4cb6c2ef053376d47f473aa
INFO: Creating SIF file...
等待一段時間後,執行完成,可以在當前路徑下檢視到一個sif檔案:
[dechin@dechin-manjaro ~]$ ll | grep mindspore
-rwxr-xr-x 1 dechin dechin 2382344192 5月 29 10:23 mindspore-gpu_1.2.0.sif
修改sif映象檔案
假如我們是一個非root的身份,並且沒有sudo許可權,那麼我們只能通過--writable-tmpfs這種方法來修改sif映象檔案的內容,比如這裡我們嘗試在sif檔案中安裝一個numba的python庫:
dechin@ubuntu2004:~/projects/numba-gpu$ singularity shell --nv --writable-tmpfs /home/dechin/tools/singularity/mindspore-gpu_1.2.0.sif
Singularity> python -m pip show numba
Singularity>
上面的指令中有一個額外的--nv的欄位,這個欄位是用於開啟CUDA的支援的,在GPU場景下會使用到。而我們在pip show中現在是沒有看到numba這個庫的,我們直接在容器的shell中執行安裝指令(需要加上--user選項,否則無法安裝成功):
Singularity> python -m pip install numba --user
Collecting numba
Requirement already satisfied: setuptools in /usr/local/python-3.7.5/lib/python3.7/site-packages (from numba) (41.2.0)
Collecting llvmlite<0.37,>=0.36.0rc1 (from numba)
Using cached https://files.pythonhosted.org/packages/54/25/2b4015e2b0c3be2efa6870cf2cf2bd969dd0e5f937476fc13c102209df32/llvmlite-0.36.0-cp37-cp37m-manylinux2010_x86_64.whl
Requirement already satisfied: numpy>=1.15 in /usr/local/python-3.7.5/lib/python3.7/site-packages (from numba) (1.20.2)
Installing collected packages: llvmlite, numba
Successfully installed llvmlite-0.36.0 numba-0.53.1
到這裡我們還沒退出當前shell,那麼numba是已經安裝成功了,可以用一個numba的GPU示例測試一下:
# test-numba-gpu.py
from numba import cuda
def cpu_print(N):
for i in range(0, N):
print(i)
@cuda.jit
def gpu_print(N):
idx = cuda.threadIdx.x + cuda.blockIdx.x * cuda.blockDim.x
if (idx < N):
print(idx)
def main():
print("gpu print:")
gpu_print[2,4](8)
cuda.synchronize()
print("cpu print:")
cpu_print(8)
if __name__ == "__main__":
main()
執行結果如下所示:
Singularity> python test-numba-gpu.py
gpu print:
0
1
2
3
4
5
6
7
cpu print:
0
1
2
3
4
5
6
7
Singularity> exit
exit
那麼我們現在退出這個sif的shell,再重新拉起(這次沒有新增可修改欄位):
dechin@ubuntu2004:~/projects/numba-gpu$ singularity shell --nv /home/dechin/tools/singularity/mindspore-gpu_1.2.0.sif
Singularity> python -m pip show numba
Name: numba
Version: 0.53.1
Summary: compiling Python code using LLVM
Home-page: https://numba.pydata.org
Author: Anaconda, Inc.
Author-email: [email protected]
License: BSD
Location: /home/dechin/.local/lib/python3.7/site-packages
Requires: llvmlite, setuptools, numpy
Required-by:
Singularity> exit
exit
而我們現在在sif映象檔案中是可以看到剛才新安裝的numba庫的,說明剛才的修改被儲存了下來。
總結概要
這篇文章主要介紹Singularity容器在Manjaro平臺的安裝,以及一些常見的使用場景:拉取沙箱製作容器映象、遠端製作容器映象以及修改容器映象的方法。總體而言Singularity是一個對非root使用者非常友好的容器解決方案,在速度上沒有實際測試過,只是在一些場景下可以看到比Docker效能要好一些。而且這個容器還支援非root的安裝以及非root的使用方法,當然在基於RH的系統下有一些預設的配置項還是需要用root許可權去修改後,才能夠用非root的賬戶使用Singularity容器,最典型的就比如要將/proc/sys/user/max_user_namespaces這裡面的對應引數配置為非零,否則使用會報錯。
版權宣告
本文首發連結為:https://www.cnblogs.com/dechinphy/p/sg.html
作者ID:DechinPhy
更多原著文章請參考:https://www.cnblogs.com/dechinphy/
打賞專用連結:https://www.cnblogs.com/dechinphy/gallery/image/379634.html
騰訊雲專欄同步:https://cloud.tencent.com/developer/column/91958