ncar / inception Goto Github PK
View Code? Open in Web Editor NEWInception is a lightweight container runtime primarily targeting HPC environments.
License: BSD 3-Clause "New" or "Revised" License
Inception is a lightweight container runtime primarily targeting HPC environments.
License: BSD 3-Clause "New" or "Revised" License
Inception is a lightweight "container" runtime primarily targeting HPC environments. It provides: - a daemonless way to launch user processes inside a mount namespace, presenting an arbitrary view of the filesystem (and a C API for doing the same) It does not provide: - containment Why is this useful? In many environments containment is provided by a batch scheduler or some other external service and network isolation doesn't make sense. The only piece of a container runtime that is really missing is the piece that remaps the filesystem (think fancy chroot). This allows users to run a (sanitized) container image without requiring the rest of the usual container infrastructure which may be complex and/or have dubious security properties. Dependencies: - Jansson JSON parser (http://www.digip.org/jansson/) - A recent Linux kernel and libc supporting mount namespaces (tested on 2.6.32 and newer) - CMake build system (https://cmake.org/) Security note: It is essential to sanitize your container images before allowing unprivileged users to use them. Inception makes no effort to remap uid 0, so it is essential that you either enforce that your environment contains trusted passwd/sudoers/etc or remove all setuid binaries or use only nosuid filesystems. ToDo/Coming soon [contributions welcome]: - Automatic Import from other container systems - Automatic image sanitization tool - Configuration file improvements Who?: Inception was initially developed at the National Center for Atmospheric Research in support of the Yellowstone and Cheyenne supercomputers. https://ncar.ucar.edu/ Install: (Quick Procedure) git clone https://github.com/NCAR/Inception.git inception cd inception mkdir build export PKG_CONFIG_PATH=$PATH_TO_JANSSON/lib/pkgconfig/:$PKG_CONFIG_PATH cmake -DCMAKE_INSTALL_PREFIX:PATH=/usr/local/inception/$VER/ -DINCEPTION_CONFIG_PATH=/usr/local/inception/$VER/etc/inception.json .. make && make install chmod 6755 /usr/local/inception/$VER/bin/inception
Are you open to use yaml (see example at http://www.yaml.org/start.html) or markdown for the config file, instead of json? If so which one do you prefer? I think yaml is more appropriate, but I'm open to both.
I think json is too verbose to be nice in a config file.
Set instead of a blank environment if the user doesn't ask for something else
Due to the lack of an intermediate representation (pre-chroot filesystem), stacking mounts doesn't work due to the check_path() check. check_path operates on the host path, where the intermediate mount is in the image's tree (inside the namespace)
For example:
from: /tmp
to:/picnic,
from:/picnic
to:/picnic
(assuming /picnic doesn't exist outside the namespace).
This could be solved by presenting the admin with an option to disable the sanity checks. Otherwise, we need to pass the in-image path to check_path() only when we are stacking mounts
This is really only necessary if we assume that the image can't/shouldn't be prepared in advance
I've started an inception=login session on regular queue on Cheyenne, and I need to do some ssh localhost
as follows:
csgteam@r9i2n34:~> ls -l /usr/lib64/python2.7/curses/__init__.pyc
-rw-r--r-- 1 root root 1553 Oct 29 2015 /usr/lib64/python2.7/curses/__init__.pyc
csgteam@r9i2n34:~> ssh localhost
csgteam@r9i2n34:~> ls -l /usr/lib64/python2.7/curses/
ls: cannot access /usr/lib64/python2.7/curses/: No such file or directory
csgteam@r9i2n34:~> exit
As you can see, the ssh localhost
breaks something in inception and now I'm out of the container (at least disk-wise, I have not tested if I'm totally out of it).
This makes it much clunkier to use the kind of installs which I perform, which always require an ssh to localhost as a way to "clean" the environment.
Is there any documentation for using this? I tried the usual place:
inception --help
-c [image_name]
-x #copy environment
and there doesn't seem to be much in the repository after install. I'd like to get a glimpse at how this works before launching on my computer :) Thank you!
Looking at the source code I can't see it, however it would be nice to have it. I remember there was an image for doing X-with-foo, but I don't recall if it was called X-with-foo
or x_with_foo
or XwithFoo
or FooX
or whatever.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.