Singularity - HPC-AI Advisory ... $ singularity verify container.sif Data integrity checked,...

Click here to load reader

  • date post

    10-Jun-2020
  • Category

    Documents

  • view

    6
  • download

    0

Embed Size (px)

Transcript of Singularity - HPC-AI Advisory ... $ singularity verify container.sif Data integrity checked,...

  • Singularity Container Workflows for Compute.

    Gregory M. Kurtzer CEO, Sylabs Inc.

    @gmkurtzer

    http://www.sylabs.io @SylabsIO @SingularityApp

  • Gregory M. Kurtzer

    CEO and Founder, Sylabs Inc.

    Previously spent ~20 years at LBNL/DOE as the HPC Systems Architect.

    I’m also known for founding various open source projects like Warewulf, CentOS Linux, and most recently Singularity!

    INTRODUCTIONS…

  • Host 2Host 1

    APPLICATION CONTAINERIZATION 101

    CPU Memory Devices

    Kernel

    Applications, Libraries, Services

    CPU Memory Devices

    Kernel

    Apps, libs, servicesContainer

    SCP, HTTP, FTP, Archive

    An environment can be built on one host, encapsulated, and packaged up into a container image.

    The container image can be copied to another host, and applications can be executed directly as if they are running native.

    You can additionally isolate or integrate the container environment on the host as the need necessitates.

  • Singularity is differentiated by two primary categories:

    • Container Format: Sylabs created an image format to encapsulate OCI and Docker based containers, which is single file based, cryptographically signed, trusted, and immutable.

    • Runtime Engine: Standardizing on existing POSIX security practices, Singularity improves performance, integration, ease of use and reduces attack surfaces while enabling HPC and the growing need for compute based orchestration.

    DESIGNED FOR SECURITY, MOBILITY, AND PERFORMANCE

    Runtime Engine

    Environment Format

  • SINGULARITY IMAGE FORMAT (SIF)

    ”Building a container can be done in only 52 lines of code!” – Liz Rice, Container Camp 2016

    SIF is a unique, single file, container encapsulation

    format!

    SIF is to containers what RPM and DEB is to source code!

    Immutable Runtime Container Image

    Global Header

    Recipe Definition

    Labels

    Environment

    Writable Overlay

    Signature Block

    C R

    Y P

    TO G

    R A

    P H

    IC A

    LL Y

    S IG

    N E

    D

    Descriptors

  • SIF encapsulates OCI and Docker containers into a single file adding benefits such as:

    • Guaranteed immutable and reproducible

    • Easy to move, share, archive, etc..

    • POSIX compatible

    • Encapsulates the entire application and environment stack

    • Cryptographic signatures and validation

    • No layers or dependencies

    • No tarballs, SIF is the runtime format

    • Encryption (with in-kernel description) coming soon

    A NEW DELIVERY PARADIGM FOR SOFTWARE

    Singularity Container TRUST

    sh a2

    56 :9

    4e d

    0. .

    sh a2

    56 :9

    40 61

    ..

    sh a2

    56 :a

    a7 4a

    ...

    sh a2 56 :b ec ac …

    Host Operating System

    Presentation Layer

    Root Owned Container Daemon

    Network Registry

  • SIF PERFORMANCE

    Objectives:

    1.Measure scaling of python startup

    and import speed with increasing

    numbers of concurrent python

    interpreters

    2.Compare scaling of a standard

    python installation with an identical

    containerized installation

    Note: Underlying file system is NFS, max

    jobs was 5120 over 320 nodes, graph is

    logarithmic on both axis.

    DR. WOLFGANG RESCH

    HTTPS://GITHUB.COM/WRESCH/PYTHON_IMPORT_PROBLEM

    Invocation performance over shared storage

    https://github.com/wresch/python_import_problem

  • Singularity provides absolute trust and accountability

    Execution of containers can be limited to only valid keys, and/or key fingerprints

    If a malicious user is found, keys are revoked from the Sylabs KeyStore, limiting exposure

    ABSOLUTE TRUST OF ALL WORKLOADS

    $ singularity pull container.sif library://user/container $ singularity verify container.sif Data integrity checked, authentic and signed by:

    Gregory Kurtzer [email protected], KeyID F4EIAL82E…

    $ singularity sign container.sif $ singularity push container.sif library://user/container

  • EXTREME MOBILITY OF COMPUTE – BYOE

    Absolute mobility from laptop, to

    HPC, cloud all and the way out to

    the edge.

    • Changing the packaging and mobility paradigm for

    application and data

    • Disrupts the barriers of portability and bridges the

    gaps between all available resources

    • From private resources, to public clouds and all the

    way out to edge and IoT Local Compute

    IoT Edge

    NVIDIA DGX

  • Designed for the complicated integration needs of compute

    • Container Runtime: • Works on all supported Linux Distributions (runtimes and kernels)

    • Designed for massive efficiency and performance

    • Additional support for alignment between user and kernel space

    • Container Image: • Designed for absolute mobility, user freedom, and reproducibility

    • Highly performant on shared and parallel file system deployments

    • Can be easily shared, archived, and controls compliant; containers are just data

    • Environment: • Optimized for application workflows like MPI and schedulers

    • Allows direct access to GPUs, InfiniBand, FPGAs, file systems, data, etc.

    COMPATIBLE AND INTEGRATION AWARE

  • Data is shared between container and host as fluently as if contained applications were running natively on the host.

    NATIVE HOST INTEGRATION

    $ singularity exec ubuntu.sif pwd

    $ singularity exec ubuntu.sif python ./python_script_in_pwd.py

    $ cat python_script_in_pwd.py | singularity exec docker://python:latest python

  • Singularity integrates with all batch resource managers, with zero modifications, by calling the Singularity command directly within the

    batch script

    BATCH SUPPORT

    #!/bin/sh

    #SBATCH --N 32

    mpirun singularity exec ~/ubuntu.sif mpi_program.exe

  • With a PMIx supporting launcher, you can run a fully contained MPI process directly from a compatible resource manager

    MPI AND SLURM

    $ srun -n 32 singularity exec ubuntu.sif mpi_program.exe

  • When a container includes a GPU enabled application and libraries, Singularity (with the “--nv” option) can properly inject the required Nvidia

    GPU driver libraries into the container, to match the host’s kernel

    GPU / CUDA SUPPORT

    $ singularity exec --nv ubuntu.sif gpu_program.exe

    $ singularity run --nv docker://tensorflow/tensorflow:gpu_latest

  • MVAPICH2 APPLICATION PERFORMANCE

    Benchmarks published by MVAPICH team at Ohio State University http://mvapich.cse.ohio-state.edu/performance/singularity-application/

  • IMB NETWORK PERFORMANCE

    Benchmarks published by SDSC at UCSD https://dl.acm.org/citation.cfm?doid=3093338.3106737

    IMB SendRecv Run using Singularity and Non-Singularity IMB PingPong Run using Singularity and Non-Singularity

    Content published here with explicit permission from the authors

  • OSU NETWORK LATENCY

    Benchmarks published by SDSC at UCSD https://dl.acm.org/citation.cfm?doid=3093338.3106737

    Content published here with explicit permission from the authors

  • LS-DYNA PERFORMANCE

    Benchmarks published by the Dell EMC HPC Innovation Lab http://en.community.dell.com/techcenter/high-performance-computing/b/general_hpc/archive/2018/02/19/performance-of-ls-dyna-on-singularity-containers

    “The performance difference while running LS-DYNA within Singularity containers remains within 2%, which is within the run-to-run variability of the application itself..”

  • Designed for the security needs of compute

    • Container Engine: • Singularity has no root owned daemon processes

    • Implements privilege separation over an API to a secure thread

    • DoD: Singularity is the only allowed container system

    • Audited and certified by EU lab for use on the European Compute Grid

    • NSF grant for 3rd party security assessment (in progress, going well!)

    • Container: • Singularity containers are immutable

    • Cryptographically signed and verifiable

    • Public keys can be managed over standard HKP protocol (or Sylabs key services)

    • Environment Requirements: • Containers are run as the calling user

    • Blocks all privilege escalation from within the container

    SECURITY FOCUSED

  • You are always yourself within a Singularity context, and Singularity will block escalation attempts within the container

    Even if you know the root password, even if you have sudo installed, even if you implement a SUID hack, Singularity will prevent privilege

    escalation

    SECURITY BLOCKS

    $ singularity exec centos.sif whoami

    $ singularity exec centos.sif sudo su -

    $ singularity exec centos.sif /proc/$$/root/bin/su

  • • System administrators, always in 100% control

    • Supports User Namespace (when kernel supports it)

    • Linux Capabilities (per user or group ACLs)

    • Directly integrates