Apptainer

Introduction

Apptainer is free software for containerizing applications.

Availability

Apptainer is available across all our systems.

Usage

Using containers on our systems amounts to loading the software and starting the image. For example, to run a Jupyter container with Julia:

module load apptainer
apptainer exec --bind=/work,/projects,`pwd`:/opt/julia/logs \
    /projects/arcsingularity/AMD/ood-jupyter-datascience_tcamd_1Dec2020.sif julia

The above commands load the apptainer software using our module system, then starts Julia within the container. To make data from our main storage locations available within the container, we use the --bind command. Additionally, Julia wants to write logs to /opt/julia/logs/. Since the container is not writable, we need to bind a mountable location to that container location as given by pwd:/opt/julia/logs. This makes the current location available IN the container as /opt/julia/logs/ and allows Julia to create a log file.

Container runtimes are not available on login nodes

If you try to use a container on a login node, you will get an error about namespaces similar to this one:

INFO   : A system administrator may need to enable user namespaces, install
INFO   :   apptainer-suid, or compile with ./mconfig --with-suid
ERROR  : Failed to create user namespace: maximum number of user namespaces exceeded, check /proc/sys/user/max_user_namespaces

The apptainer runtime will fail when attempting to use it on a cluster login node (e.g. owl1.arc.vt.edu or tinkercliffs2.arc.vt.edu) because user namespaces are disabled on login nodes. Some security controls are set more strictly on login nodes than on cluster compute nodes because the login nodes have greater exposure to security threats and are generally not an appropriate place to run computational workloads.

The solution is to use an interactive job to get dedicates resources and an interactive shell on a compute node and interact with the container there. For example:

[brownm12@owl3 ~]$ interact --account=arcadm --time=1:00:00 --cpus-per-task=4 --partition=normal_q
 --- Warning:
     Your session consumes resources (CPUs, memory, and GPUs) while it remains open.
     Close your session whenever you finish your work.
     Other users cannot use the resources allocated to your job until you close your session.
     Consider the use of batch jobs to optimize resources allocation.
srun: job 155192 queued and waiting for resources
srun: job 155192 has been allocated resources
[brownm12@owl030 ~]$ module load apptainer
[brownm12@owl030 ~]$ apptainer shell /common/containers/vllm-openai-0.10.2.sif
Apptainer>

Container building workflow

Because Apptainer can build from DockerHub and the public help via Google searches is vastly greater when creating Docker images, our general recommendation is to take advantage of this.

Our workflow is to:

  1. Create a docker image

  2. Push docker image to dockerhub

  3. apptainer build image.sif docker://<docker user>/image:tag