Introduction to Docker and Singularity

Introduction to Docker
8 Topics
Background about Docker
Docker components
Docker vocabulary
Container Setup explained
Basics of the Docker images
What is Containerization?
Advantages of Docker
Typical use cases
Using existing images
13 Topics
Explore Docker hub
Exercise on getting images
Get tools from Biocontainers
List docker images
Starting an image with docker run
Run container as daemon
Check containers status via docker ps
Clean up the containers and the images
Execute a process in running container
Summary
Volumes
Excercise with volumes
Ports
Docker recipes: build your own images
12 Topics
Building the recipes for images
More advanced image building
Building cache
Tagging the images
Starting the build
More instructions for the recipes
One tool, one image or some tools, one image
General recommendations
Dockerfile tips
Getting an image to Docker Hub
Inspecting Dockerfiles created by other parties
Using Biocontainers and Bioconda for bioinformatics tools
Introduction to Singularity
6 Topics
Background about Singularity
Strengths and Weaknesses
Singularity Architecture
Getting started
Singularity’s Image Cache
Using existing Singularity images
Run and execute Singularity images
6 Topics
Using the Singularity containers to run commands
Files in Singularity containers
Binding local folders (aka volumes)
Using Docker images with Singularity
Run from sandbox container or remotely
Troubleshooting options
Building Singularity images
4 Topics
Building Singularity images
Change the image via sandbox
Using singularity recipes
Remotely building
Previous Topic
Next Topic

Files in Singularity containers

Introduction to Docker and Singularity Run and execute Singularity images Files in Singularity containers

The way in which user accounts and access permissions are handeld in Singularity containers is very different from that in Docker (where you effectively always have superuser/root access). When running a Singularity container, you only have the same permissions to access files as the user you are running as on the host system.

In this section, we’ll look at working with files in the context of Singularity containers and how this links with Singularity’s approach to users and permissions within containers.

Users within a Singularity container

The first thing to note is that when you ran whoami within the container shell you started at the end of the previous episode, you should have seen the username that you were signed in as on the host system when you ran the container.

For example, if my username were jc1000, I’d expect to see the following:

$ singularity shell hello-world.sif
Singularity> whoami
jc1000

But hang on! I downloaded the standard, public version of the hello-world.sif image from Singularity Hub. I haven’t customised it in any way. How is it configured with my own user details?!

If you have any familiarity with Linux system administration, you may be aware that in Linux, users and their Unix groups are configured in the /etc/passwd and /etc/group files respectively. In order for the shell within the container to know of my user, the relevant user information needs to be available within these files within the container.

Assuming this feature is enabled within the installation of Singularity on your system, when the container is started, Singularity appends the relevant user and group lines from the host system to the /etc/passwd and /etc/group files within the container [1].

This means that the host system can effectively ensure that you cannot access/modify/delete any data you should not be able to on the host system and you cannot run anything that you would not have permission to run on the host system since you are restricted to the same user permissions within the container as you are on the host system.

Files and directories within a Singularity container

Singularity also binds some directories from the host system where you are running the singularity command into the container that you’re starting. Note that this bind process is not copying files into the running container, it is making an existing directory on the host system visible and accessible within the container environment. If you write files to this directory within the running container, when the container shuts down, those changes will persist in the relevant location on the host system.

There is a default configuration of which files and directories are bound into the container but ultimate control of how things are set up on the system where you are running Singularity is determined by the system administrator. As a result, this section provides an overview but you may find that things are a little different on the system that you’re running on.

One directory that is likely to be accessible within a container that you start is your home directory. You may also find that the directory from which you issued the singularity command (the current working directory) is also mapped.

The mapping of file content and directories from a host system into a Singularity container is illustrated in the example below showing a subset of the directories on the host Linux system and in a Singularity container:

Host system:                                                      Singularity container:
-------------                                                     ----------------------
/                                                                 /
β”œβ”€β”€ bin                                                           β”œβ”€β”€ bin
β”œβ”€β”€ etc                                                           β”œβ”€β”€ etc
β”‚   β”œβ”€β”€ ...                                                       β”‚   β”œβ”€β”€ ...
β”‚   β”œβ”€β”€ group  ─> user's group added to group file in container ─>β”‚   β”œβ”€β”€ group
β”‚   └── passwd ──> user info added to passwd file in container ──>β”‚   └── passwd
β”œβ”€β”€ home                                                          β”œβ”€β”€ usr
β”‚   └── jc1000 ───> user home directory made available ──> ─┐     β”œβ”€β”€ sbin
β”œβ”€β”€ usr                 in container via bind mount         β”‚     β”œβ”€β”€ home
β”œβ”€β”€ sbin                                                    └────────>└── jc1000
└── ...                                                           └── ...

Q1: What do you notice about the ownership of files in a container started from the hello-world image? (e.g. take a look at the ownership of files in the root directory (/))

Exercise 1: In this container, try editing (for example using the editor vi which should be available in the container) the /rawr.sh file. What do you notice?

If you’re not familiar with vi there are many quick reference pages online showing the main commands for using the editor, for example this one.

Exercise 2: In your home directory within the container shell, try and create a simple text file. Is it possible to do this? If so, why? If not, why not?! If you can successfully create a file, what happens to it when you exit the shell and the container shuts down?

Previous Topic
Back to Lesson
Next Topic