Versions Compared

Old Version 8

changes.mady.by.user Unknown User (tzok)

Saved on

compared with

New Version Current

changes.mady.by.user Bartłomiej Pogodziński

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Repository

The repository https://gitlab.eufus.psnc.pl/containerization/imas/imas-installer contains instructions on how to build the container by yourself using script. Instructions below are more in-depth if you wish to build more custom IMAS container.

Introduction

  • This document describes how to build a Docker image with IMAS environment
  • The build is divided into several steps, each in a separate executable file with sequential naming convention: 01-base02-ual03-kepler04-fc2k05-gui, 06-intel-mpi-mkl and 07-save
  • Steps 2, 3 and 4 require access to a private SSH key to query git://git.iter.org
  • The result of step 4 is a usable image with IMAS, Kepler and FC2K
  • Step 5 is optional, it adds on top of Step 4 the GUI libraries and configurations to work with the container via VNC (remote desktop)
  • Step 6 is optional, it adds Intel libraries
  • Step 7 exports the result of step 4 and 5 into image archives (these can be transferred and loaded by Docker daemon or uDocker executable)
Warning
titleLimitations
  • The IMAS environment is compiled in the container, so it uses only publicly available resources (+ source codes from git://git.iter.org)
  • This means that ifort, pgf90, nagfor or matlab are unavailable and these settings are used:
    • IMAS_IFORT=no
    • IMAS_G95=no
    • IMAS_NAGFOR=no
    • IMAS_PGI=no
    • IMAS_MATLAB=no
    • IMAS_MEX=no
  • These restrictions result from the requirements of the image building environment, namely:
    • (1) either there is a Docker engine running as root
    • (2) or there are user namespaces available
  • Running Docker engine as root is not an option in a multi-user environment such as the EUROfusion Gateway or ITER cluster
  • User namespaces is a feature of Linux kernel 3.8+ which allows isolating a process in a sandbox with the possibility of impersonating root user in the sandbox (however, the whole sandbox is run as a normal user so anything in the sandbox cannot truly escalate privileges)
  • Currently, we have neither (1) nor (2) on EUROfusion Gateway and ITER cluster. The image is built elsewhere and cannot make full use of available resources.
  • If user namespaces were configured on at least a single machine with IP in the pool of those enabled to use Intel license, then we would be able to build a full IMAS image

Buildah

  • The building procedure is based on buildah
  • It is a standard-compliant tool which allows building container images

...

  • You can build the image rootless when these requirements are met:

    • A kernel with support for User Namespaces (CONFIG_USER_NS) must be present

    • A sysctl setting must be present kernel.unprivileged_userns_clone = 1

    • Create /etc/subuid and /etc/subgid with the following content (replace LOGIN with a login of user able to build containers)

      LOGIN:100000:65536

Building procedure

Repository

  • The building procedure is available in a version-controlled repository:

    git clone ssh://git@git.iter.org/imex/imas-container.git

...

  • All parameters are placed in config file
  • By default, almost all of the parameters' values are blank, which means that the image builder will determine the latest released tag (for each component separately) and use it automatically
  • If you want to enforce a specific tag or branch, please edit the config file accordingly

...