-
Notifications
You must be signed in to change notification settings - Fork 0
containers
Mobyle support containerization of the jobs.
Container is defined in service description:
'containers': [{'type': 'docker',
'id': 'image identifier of Docker image',
'url': 'Docker url to pull image'}]
Example:
'containers': [{'type': 'docker',
'id': 'ae0c2d0bdc10',
'url': 'docker-sample.genouest.org/centos7'}]
Job directory is mounted at same location in the image. Job command is exectuted as root in the image, with a workdir set to the job directory.
A job container is limited in RAM and CPU as per specified in job routing. Containerization is not specific to a local execution, it works on any system.
Requirements:
Docker must be installed on nodes where job will be executed
Non-root access:
Docker needs specific priviledges to run. 2 solutions:
-
Mobyle user must be sudoer on docker with "no password" grant.
-
Give access to a specific group
The docker daemon always runs as the root user, and since Docker version 0.5.2, the docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root, and so, by default, you can access it with sudo.
Starting in version 0.5.3, if you (or your Docker installer) create a Unix group called docker and add users to it, then the docker daemon will make the ownership of the Unix socket read/writable by the docker group when the daemon starts. The docker daemon must always run as the root user, but if you run the docker client as a user in the docker group then you don't need to add sudo to all the client commands. As of 0.9.0, you can specify that a group other than docker should own the Unix socket with the -G option.