Containerized apps

Doing things that previously took 1 computer using 0.75 computers

These are rapidly evolving standards. Check the timestamps on any advice.

A lighter, hipper alternative to virtual machines, which, AFAICT, attempts to make provisioning services more like installing an app than building a machine, because it aims to containerise apps rather than OSes, which emphasis leads to less dicking around, but somehow even more webinars.

Related to sandboxing, (and indeed they can even conflict because they use the same technologies) but different emphasis. Here the emphasis is more commonly upon you building some quick light-weight reproducible copy of a certain machine which you will send out into the world to do some thing, and it’s usually a server. Sandboxing is usually for apps, and usually on the desktop.

The most common hosts for containers are, or were, AFAICT, Linux-ish, but I believe there are also Windows/macOS solutions.

Docker

The most common way of doing this. It is simple structurally but is riven with confusing analogies, inconsistent terminology and poor explanation that make it seem weirder.

Fortunately we have Julia Evans who explains at least the filesystem, overlayfs by example. See also the docker cheat sheet.

Installation

  • Linux hosts: installing docker is easy.
  • macOS has a confusing profusion of toolchain bits and pieces they can try to install to get the experience, all of which try to install various distinct versions of each other, and give little information about which is the recommended way of doing what.

    Choose one:

    • Homebrew install.

    • Docker for mac worked for me. I think it is the same as Docker Community Edition for Mac?

    • kitematic provides a GUI for the containers themselves, as opposed to the infrastructure.

    • docker toolbox bundles some docker infrastructure plus kitematic. It attempts to run docker properly, but seems to fail in weird ways in the default setup, giving, e.g. permission errors and such. If you install Docker for Mac then install this, you get Kitematic but it can’t see your docker images, because of something boring that I can’t be bothered understanding.

  • Docker for Windows. (i.e. runs Windows clients. On windows? IDK.)
  • GPU-happy docker management

Kubernetes

Kubernetes is a large scale docker autmation system. I don’t need kubernetes since I am not in a tea with 500 engineers.

Secrets

Handling passwords is fiddly – see secrets.

Opaque timeout error

Do you get the following error?

Error response from daemon: Get https://registry-1.docker.io/v2/:
net/http: request canceled while waiting for connection
(Client.Timeout exceeded while awaiting headers)

According to thaJeztah, the solution is to use google DNS for Docker (or presumably some other non-awful DNS). You can set this by providing a JSON configuration in the preference panel (under daemon -> advanced), e.g.

{ "dns": [ "8.8.8.8", "8.8.4.4" ]}

Docker for reproducible research

Docker may not be the ultimate tool for reproducible research but it is a start. And it is convenient - see Keunwoo Choi’s guide for researchers by example. (🏗 fact-check the linked article.)

…How do you get your data in?

Tiffany Timbers gives a brisk run-through for academics.

Jon Zelner goes in-depth with R in a series culminating in continuous integration for science.

Reproducible research tuts has a docker (plus also VM-backed) tutorial.

Singularity

Singularity promises potentially useful container infrastructure.

Singularity provides a single universal on-ramp from the laptop, to HPC, to cloud.

USERS OF SINGULARITY CAN BUILD APPLICATIONS ON THEIR DESKTOPS AND RUN HUNDREDS OR THOUSANDS OF INSTANCES—WITHOUT CHANGE—ON ANY PUBLIC CLOUD.

Features include:

  • Support for data-intensive workloads—The elegance of Singularity’s architecture bridges the gap between HPC and AI, deep learning/machine learning, and predictive analytics.
  • A secure, single-file-based container format—Cryptographic signatures ensure trusted, reproducible, and validated software environments during runtime and at rest.
  • Extreme mobility—Use standard file and object copy tools to transport, share, or distribute a Singularity container. Any endpoint with Singularity installed can run the container.
  • Compatibility—Designed to support complex architectures and workflows, Singularity is easily adaptable to almost any environment.
  • Simplicity—If you can use Linux®, you can use Singularity.
  • Security—Singularity blocks privilege escalation inside containers by using an immutable single-file container format that can be cryptographically signed and verified.
  • User groups—Join the knowledgeable communities via GitHub, Google Groups, or in the Slack community channel.
  • Enterprise-grade features—Leverage SingularityPRO’s Container Library, Remote Builder, and expanded ecosystem of resources.

Released in 2016, Singularity is an open source-based container platform designed for scientific and high-performance computing (HPC) environments. Used by more than 25,000 top academic, government, and enterprise users, Singularity is installed on more than 3 million cores and trusted to run over a million jobs each day.

In addition to enabling greater control over the IT environment, Singularity also supports Bring Your Own Environment (BYOE)—where entire Singularity environments can be transported between computational resources (e.g., users’ PCs) with reproducibility.

GUIs

GUI comparison

  • kitematic, already mentioned, is languishing but works. Windows, macOS.
  • portainer is a docker GUI that runs on docker, and therefore everywhere.

LXC

LXC is another containerization standard. Because docker is a de facto default, let’s look at this in terms of docker.