Presentation is loading. Please wait.

Presentation is loading. Please wait.

Docker with HTCondor at FNAL

Published byDwayne Henderson Modified over 6 years ago

Similar presentations

Presentation on theme: "Docker with HTCondor at FNAL"— Presentation transcript:

1 Docker with HTCondor at FNAL
Anthony Tiradani HTCondor Week 2018 May 2018

2 Fermi National Accelerator Lab
Located in Batavia, IL (~45 miles/~60 km west of Chicago) Home of Scientific Linux Support 30+ experiments and projects, largest experiment (CMS) ~3000 users, largest project (DUNE) ~1000 users, both international Host the US Tier-1 facility for the CMS collaboration Computing Scale 3 HTCondor clusters totaling ~45k cores ~100PB Tape storage ~58PB Disk 11/8/2018 Anthony Tiradani | HTCondor Week 2018

3 Cluster Diagram 11/8/2018 Anthony Tiradani | HTCondor Week 2018

4 Why Docker? Job Isolation OS portability
Remove linkage between worker node and job requirements Allow experiments to pick supported OS’s Environment management and reproducibility Enable custom cgroup policies (without having to manage a “menu” of permutations) Enable custom environments 11/8/2018 Anthony Tiradani | HTCondor Week 2018

5 Docker with HTCondor A very basic setup of HTCondor with Docker is as follows: On the worker node set the following knob to the Docker executable on the machine: On the schedd side, a vanilla universe job has to add the following two classAds to the job submission file: # Setting the path to docker binary DOCKER = /usr/bin/docker This is essentially the bare minimum setup for HTCondor with Docker. We are assuming defaults on the worker node side for other Docker knobs (like volumes and image cache etc). Instead of using vanilla universe, you can use Docker universe directly as well. Combination of these knobs forces HTCondor to run the job inside the Docker container provided by the job in its classAd. # To indicate that the job wants to run in Docker +WantDocker = True # To indicate the container image it wants to run +DockerImage = “scientificlinux/sl:7” 11/8/2018 Anthony Tiradani | HTCondor Week 2018

6 Requirements and constraints at FNAL
List of constraints and requirements we had when we decided to migrate to Docker: The migration to Docker has to be transparent to the users We should be able to enforce container environments from the worker node side OS Environments variables Images Capabilities Networking, etc. Before we started our migration to Docker, these were some of the constraints and requirements we had in mind 11/8/2018 Anthony Tiradani | HTCondor Week 2018

7 Docker with HTCondor To determine which startds are Docker capable (remember, we have pilots from OSG joining the pool), we add the following knob to the schedd config: We use the job machine attributes feature of HTCondor to fetch the classAd FERMIHTC_DOCKER_CAPABLE into the job classAds. This was necessary to make sure we do not try to invoke Docker on pilots requested at other grid sites NOTE: JOBS control Docker functions in HTCondor (currently) # To fetch FERMIHTC_DOCKER_CAPABLE attribute from the # STARTD into the job SYSTEM_JOB_MACHINE_ATTRS = $(SYSTEM_JOB_MACHINE_ATTRS) \ FERMIHTC_DOCKER_CAPABLE This explains how we decide whether condor should try to run the job inside docker 11/8/2018 Anthony Tiradani | HTCondor Week 2018

8 Docker with HTCondor Fetching FERMIHTC_DOCKER_CAPABLE from the startd results in job classAd ‘MachineAttrFERMIHTC_DOCKER_CAPABLE0’ for the most recent match the job had. We use this classAd to then determine the value of ‘WantDocker’ by using job transforms: # The transform policy to set relevant Docker classAds JOB_TRANSFORM_NAMES = FERMI_HTC_Docker JOB_TRANSFORM_FERMI_HTC_Docker = \ [ \ set_WantDocker = \ isUndefined(MachineAttrFERMIHTC_DOCKER_CAPABLE0) \ ? FALSE \ : MachineAttrFERMIHTC_DOCKER_CAPABLE0; \ set_DockerImage = "gpgrid-sl7:production"; \ ] This explains how our transform transparently changes the job into a docker capable job without the user having to modify their submission scripts 11/8/2018 Anthony Tiradani | HTCondor Week 2018

9 Docker with HTCondor So to summarize;
A vanilla job is transparently converted into a “Docker” job using the schedd transforms when a user submits it ‘WantDocker’ is set as an expression that relies on the startd to tell the job if it supports Docker We explicitly set FERMIHTC_DOCKER_CAPABLE to False for pilots to prevent the use of Docker offsite The image of our choice is appended to the job classAds when the transform is applied Using the transform allows us to select multiple images based on, for example, the OS. An ifthenelse() block can be added to achieve this 11/8/2018 Anthony Tiradani | HTCondor Week 2018

10 Docker with HTCondor As an extra measure, job submit requirements are added to the schedds to prevent users from overwriting the image in their job submission files: Docker classAd attributes are also marked as ‘PROTECTED’ to prevent condor_qedits: # Preventing jobs from specifying their own docker images SUBMIT_REQUIREMENT_NAMES = CustomDocker SUBMIT_REQUIREMENT_CustomDocker = \ (DockerImage=?="gpgrid-sl7:production") SUBMIT_REQUIREMENT_CustomDocker_REASON = \ "Custom Docker images are not supported. Please unset DockerImage classAd" Extra measures to make sure that the users cannot modify things, all thanks to super neat HTCondor features! # Preventing anyone from editing the jobs for docker # classAds PROTECTED_JOB_ATTRS = WantDocker DockerImage 11/8/2018 Anthony Tiradani | HTCondor Week 2018

11 Docker with HTCondor On the worker nodes, FERMIHTC_DOCKER_CAPABLE is added to indicate whether HTCondor should attempt to run the job inside Docker (as discussed on the previous slides): Next, we set ‘DOCKER’ in the configuration file such it doesn’t point to a docker binary, but to our custom wrapper script: # Set the attribute to 'True' if the worker is intended to # run jobs inside Docker. Otherwise, 'False'. # The attribute is fetched by the job when claim is # activated to determine whether to set 'WantDocker' to # true or false FERMIHTC_DOCKER_CAPABLE = True STARTD_ATTRS = $(STARTD_ATTRS) FERMIHTC_DOCKER_CAPABLE # The default path is commented out to run Docker from # a wrapper script. This allows us to make custom changes # to the container if/when needed DOCKER = /usr/local/libexec/condor-docker 11/8/2018 Anthony Tiradani | HTCondor Week 2018

12 (*) The arguments are truncated for sanity
Docker with HTCondor The idea is to intercept the default arguments passed by HTCondor to Docker and make the necessary changes by appending Docker CLI flags to these arguments. For example*: (*) The arguments are truncated for sanity Apr 23 11:26:29 wnitb020 condor-docker: [condor-docker]: INFO - Received condor arguments:/usr/local/libexec/condor-docker create --cpu-shares=100 --memory=512m --hostname fkhan wnitb020.fnal.gov --name HTCJob8347_4_slot1_2_PID2231 -e BATCH_SYSTEM=HTCondor -e EXPERIMENT=mu2e -e GRID_USER=fkhan --volume /cvmfs:/cvmfs:ro,slave gpgrid-sl7:production ./condor_exec.exe Apr 23 11:26:29 wnitb020 condor-docker: [condor-docker]: INFO - Script executed command:/usr/bin/docker create --cpu-shares=100 --name HTCJob8347_4_slot1_2_PID hostname fkhan wnitb020.fnal.gov --volume /cvmfs:/cvmfs:ro,slave --env BATCH_SYSTEM=HTCondor --env EXPERIMENT=mu2e --env GRID_USER=fkhan --memory 512m --memory-swap 512m --env FIFE_GLIDEIN_ToDie=$((`date +%s` )) --env UPS_OVERRIDE="-H Linux64bit " --cap-add=DAC_OVERRIDE --cap-add=SETUID --cap-add=SETGID --cap-add=SYS_ADMIN --cap-add=SYS_CHROOT --cap-add=SYS_PTRACE --network host gpgrid-sl7:production ./condor_exec.exe Red and blue are changes for comparison, green are additions RED was necessary to disable swap inside the containers BLUE was necessary for glexec to be able to talk to GUMS (it didn’t like the dots in the hostname) GREEN are additions due to one reason or the other. Not necessary to explain? Shown here just for to show how the arguments are modified 11/8/2018 Anthony Tiradani | HTCondor Week 2018

13 Docker with HTCondor Using the HTCondor python bindings, we were able to avoid hardcoding values inside the python wrapper and instead created a few auxiliary parameters to dictate the behavior of the container on the worker node. For example, # List of trusted Docker images # Full name format: (<registry>/<user>/<repository>:<tag>) # Privileged capabilities will only be passed to trusted # images. This can be a space or comma separated list FERMIHTC_DOCKER_TRUSTED_IMAGES = \ 'gpgrid-sl7:production', 'centos:7' This has been helpful for operations where instead of updating wrappers, you update the configuration file as you’d normally do and get the intended behavior 11/8/2018 Anthony Tiradani | HTCondor Week 2018

14 Docker with HTCondor Similarly, another example of an auxiliary knob:
# Comma or space separated list of capabilities to be # enabled inside the containers listed under # FERMIHTC_DOCKER_TRUSTED_IMAGES # List of all kernel capabilities can be seen here: # # If undefined, no capabilities are added to the # containers FERMIHTC_DOCKER_CAPABILITIES = DAC_OVERRIDE, SETUID, \ SETGID, SYS_ADMIN, \ SYS_CHROOT, SYS_PTRACE 11/8/2018 Anthony Tiradani | HTCondor Week 2018

15 Docker with HTCondor A simple snippet from inside the wrapper to read FERMIHTC_DOCKER_CAPABILITIES knob: def getDockerCapabilities(): """ To fetch docker capabilities defined in the HTCondor configuration files and to append --cap-add to the capabilities to pass it to docker # Fetching the capabilities from HTCondor configuration file condorDockerCaps = htcondor.param.get("FERMIHTC_DOCKER_CAPABILITIES") # Converting the fetched string into a list # and appending '--cap-add=' try: finalDockerCaps = ["--cap-add="+val for val in re.findall(r'[\w]+’, condorDockerCaps)] except TypeError: syslog.syslog('[condor-docker]: WARNING – ' \ 'FERMIHTC_DOCKER_CAPABILITIES is not defined in HTCondor’ \ 'configuration. Not adding any capabilities to the container.') finalDockerCaps = [’’] return finalDockerCaps 11/8/2018 Anthony Tiradani | HTCondor Week 2018

16 Docker with HTCondor Some of the use cases we have so far been able to address by using a wrapper are as follows: We disabled swap for the containers. The default value per container adds up to be more than we have on our workers We were able to implement a ‘docker pull’ before ‘docker run’ to always try and run the newest available image. By default, docker only runs the latest from the local cache We were able to pass various privileged kernel capabilities to our containers in order to run experiment Singularity images We were able to set custom environment variables to facilitate FIFE experiments We were able to tweak network configuration of the containers to address performance and security concerns These are SOME, not ALL 11/8/2018 Anthony Tiradani | HTCondor Week 2018

17 Conclusions and future work
It is our understanding that the HTCondor team would like to minimize the use of wrapper scripts. We are working with condor developers on getting some of these features into HTCondor itself that might benefit others Would be nice if HTCondor exposed a way to modify/remove/add CLI flags or arguments DOCKER_EXT_ARGS, maybe? Much of what we do is slightly convoluted because the features are job driven whereas we’d like to maintain administrative control. Would be nice to have features that allow administrative control natively. 11/8/2018 Anthony Tiradani | HTCondor Week 2018

18 Acknowledgements University of Nebraska-Lincoln (UNL) invests heavily in Docker and containerization solutions for their users and compute clusters. Thanks to Brian Bockelman and Nebraska site admins for their help in getting us started with Docker! Thanks to the HTCondor team for implementing Docker support and continuing support for our use cases. 11/8/2018 Anthony Tiradani | HTCondor Week 2018

Download ppt "Docker with HTCondor at FNAL"

Similar presentations

Jaime Frey Computer Sciences Department University of Wisconsin-Madison OGF 19 Condor Software Forum Routing.

Jaime Frey Computer Sciences Department University of Wisconsin-Madison OGF 19 Condor Software Forum Routing.
Building a secure Condor ® pool in an open academic environment Bruce Beckles University of Cambridge Computing Service.

Building a secure Condor ® pool in an open academic environment Bruce Beckles University of Cambridge Computing Service.
HTCondor and the European Grid Andrew Lahiff STFC Rutherford Appleton Laboratory European HTCondor Site Admins Meeting 2014.

HTCondor and the European Grid Andrew Lahiff STFC Rutherford Appleton Laboratory European HTCondor Site Admins Meeting 2014.
Dan Bradley Computer Sciences Department University of Wisconsin-Madison Schedd On The Side.

Dan Bradley Computer Sciences Department University of Wisconsin-Madison Schedd On The Side.
Efficiently Sharing Common Data HTCondor Week 2015 Zach Miller Center for High Throughput Computing Department of Computer Sciences.

Efficiently Sharing Common Data HTCondor Week 2015 Zach Miller Center for High Throughput Computing Department of Computer Sciences.
First steps implementing a High Throughput workload management system Massimo Sgaravatto INFN Padova

First steps implementing a High Throughput workload management system Massimo Sgaravatto INFN Padova
CVMFS: Software Access Anywhere Dan Bradley Any data, Any time, Anywhere Project.

CVMFS: Software Access Anywhere Dan Bradley Any data, Any time, Anywhere Project.
Jaeyoung Yoon Computer Sciences Department University of Wisconsin-Madison Virtual Machines in Condor.

Jaeyoung Yoon Computer Sciences Department University of Wisconsin-Madison Virtual Machines in Condor.
Condor Project Computer Sciences Department University of Wisconsin-Madison Virtual Machines in Condor.

Condor Project Computer Sciences Department University of Wisconsin-Madison Virtual Machines in Condor.
Jaime Frey Computer Sciences Department University of Wisconsin-Madison Virtual Machines in Condor.

Jaime Frey Computer Sciences Department University of Wisconsin-Madison Virtual Machines in Condor.
Distributed Systems Early Examples. Projects NOW – a Network Of Workstations University of California, Berkely Terminated about 1997 after demonstrating.

Distributed Systems Early Examples. Projects NOW – a Network Of Workstations University of California, Berkely Terminated about 1997 after demonstrating.
1 Integrating GPUs into Condor Timothy Blattner Marquette University Milwaukee, WI April 22, 2009.

1 Integrating GPUs into Condor Timothy Blattner Marquette University Milwaukee, WI April 22, 2009.
Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.

Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.
Campus Grids Report OSG Area Coordinator’s Meeting Dec 15, 2010 Dan Fraser (Derek Weitzel, Brian Bockelman)

Campus Grids Report OSG Area Coordinator’s Meeting Dec 15, 2010 Dan Fraser (Derek Weitzel, Brian Bockelman)
Distribution After Release Tool Natalia Ratnikova.

Distribution After Release Tool Natalia Ratnikova.
Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.

Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.
Legion - A Grid OS. Object Model Everything is object Core objects - processing resource– host object - stable storage - vault object - definition of.

Legion - A Grid OS. Object Model Everything is object Core objects - processing resource– host object - stable storage - vault object - definition of.
Derek Wright Computer Sciences Department University of Wisconsin-Madison New Ways to Fetch Work The new hook infrastructure in Condor.

Derek Wright Computer Sciences Department University of Wisconsin-Madison New Ways to Fetch Work The new hook infrastructure in Condor.
Pilot Factory using Schedd Glidein Barnett Chiu BNL 10.04.07.

Pilot Factory using Schedd Glidein Barnett Chiu BNL
National Energy Research Scientific Computing Center (NERSC) CHOS - CHROOT OS Shane Canon NERSC Center Division, LBNL SC 2004 November 2004.

National Energy Research Scientific Computing Center (NERSC) CHOS - CHROOT OS Shane Canon NERSC Center Division, LBNL SC 2004 November 2004.

Similar presentations

Ads by Google