Singularity: software carpentry#

link

Singularity is a container platform. Singularity is particularly well-suited to running on distributed, High Performance Computing (HPC) infrastructure, as well as a Linux laptop or desktop.

Problems with Docker#

System administrators will not, generally, install Docker on shared computing platforms such as lab desktops, research clusters or HPC platforms because the design of Docker presents potential security issues for shared platforms with multiple users. Singularity, on the other hand, can be run by end-users entirely within “user space”, that is, no special administrative privileges need to be assigned to a user in order for them to run and interact with containers on a platform where Singularity has been installed.

[s.1915438@sl2 ~]$ module avail singularity
singularity        singularity/2.6.1  singularity/3.3.0  singularity/3.6.3  singularity/3.8.5
[s.1915438@sl2 ~]$ module avail singularity/3.8.5
[s.1915438@sl2 ~]$ singularity --version
singularity version 3.8.5

Images and containers#

  • Images: A template virtual environment

  • Container: virtual environment that is based on an image. It may be possible to start multiple container instances from an image.

Pulling image#

command: singularity pull

[s.1915438@sl2 test]$ singularity pull hello-world.sif shub://vsoch/hello-world
INFO:    Downloading shub image
59.8MiB / 59.8MiB [==============================================================================] 100 % 12.2 MiB/s 0s
[s.1915438@sl2 test]$ ls
hello-world.sif
[s.1915438@sl2 test]$

We pulled this image from Singularity Hub Archive.

Running an image#

command: singularity run

[s.1915438@sl2 test]$ singularity run hello-world.sif
RaawwWWWWWRRRR!! Avocado!

We just ran the default script of the Singularity image. We can inspect the image’s run script using singularity inspect -r.

[s.1915438@sl2 test]$ singularity inspect -r hello-world.sif
#!/bin/sh

exec /bin/bash /rawr.sh

Singularity’s image cache#

Contrary to Docker, Singularity stores a copy of pulled images in a cache on the local disk. If we delete a an image and repull it, if the version is same, it will pull from the local cache. However, this feature is only available in newer versions of Singularity (~3.5).

[s.1915438@sl2 test]$ singularity cache list
There are 1 container file(s) using 59.75 MiB and 0 oci blob file(s) using 0.00 KiB of space
Total space used: 59.75 MiB
[s.1915438@sl2 test]$ singularity cache list -v
NAME                     DATE CREATED           SIZE             TYPE
3bac21df631874e3cbb3f0   2022-06-27 10:17:55    59.75 MiB        shub

There are 1 container file(s) using 59.75 MiB and 0 oci blob file(s) using 0.00 KiB of space
Total space used: 59.75 MiB

The images cache can be cleaned using singularity cache clean. By default the cache is stored at $HOME/.singularity/cache.

[s.1915438@sl2 test]$ ls $HOME/.singularity/cache
library  net  oci-tmp  oras  shub

Running specific command with a Singularity container#

command: singularity exec

This command overrides the commands in the default script.

Example 1:

[s.1915438@sl2 test]$ singularity exec hello-world.sif /bin/bash /rawr.sh
RaawwWWWWWRRRR!! Avocado!

Example 2:

[s.1915438@sl2 test]$ singularity exec hello-world.sif /bin/echo Hello World
Hello World

Example 3:

[s.1915438@sl2 test]$ singularity exec hello-world.sif /bin/date
Mon Jun 27 10:22:29 BST 2022

Example 4:

[s.1915438@sl2 test]$ singularity exec hello-world.sif ls /
apps  bin  boot  dev  environment  etc  home  lib  lib64  media  mnt  opt  proc  rawr.sh  root  run  sbin  scratch  singularity  srv  sys  tmp  usr  var

Example 5:

[s.1915438@sl2 test]$ singularity exec hello-world.sif /rawr.sh
RaawwWWWWWRRRR!! Avocado!

Singularity container: interactive shell#

command: singularity shell

[s.1915438@sl2 test]$ singularity shell hello-world.sif
Singularity> ls
hello-world.sif
Singularity> whoami
s.1915438
Singularity> pwd
/scratch/s.1915438/Singularity/examples/test
Singularity> uname -n
sl2
Singularity> ls /
apps  bin  boot  dev  environment  etc  home  lib  lib64  media  mnt  opt  proc  rawr.sh  root  run  sbin  scratch  singularity  srv  sys  tmp  usr  var
Singularity> exit
[s.1915438@sl2 test]$

This interactive is very different from Docker’s interactive shell. Here we can’t access the container as a seperate virtualised envoronment/ OS. In docker interactive shell we are the superuser. Here in Singularity can only access those files as the current user can access. So, if we type ls we see the vsoch-hello-world-master-latest.simg. ls / gives us the rawr.sh in the root directory. As always use exit or ctrl + D to exit the shell.

Similarly, when we type whoami we get the current username on the host system. It grabs the userdata from /etc/passwd and /etc/group.

A link to know more: https://www.intel.com/content/dam/www/public/us/en/documents/presentation/hpc-containers-singularity-advanced.pdf

So, we can’t run commands from within the singularity container that is denied on the host system. Thus we don’t need superuser permission.