docker Singularity "proxy" to invoke singularity containers on non-Linux systems via docker

[yarikoptic]

Since singularity is Linux specific, its images aren't usable on OSX/Windows. But I wonder if there could be a docker image/container (which we could carry here as well) with the sole purpose of "proxying" invocation to singularity inside? Then the https://github.com/ReproNim/containers/blob/master/scripts/singularity_cmd could even do needed proxying.

on a quick try -- 2.6.1 singularity cannot work in docker

root@3dd4a262774a:/tmp# ./ReproNim-reproin-master-latest.simg 
Singularity: action-suid (U=0,P=4648)> Could not virtualize file system namespace: Operation not permitted

ERROR  : Could not virtualize file system namespace: Operation not permitted
Singularity: action-suid (U=0,P=4648)> Retval = 255

ABORT  : Retval = 255
root@3dd4a262774a:/tmp# apt-cache policy singularity-container
singularity-container:
  Installed: 2.6.1-2~nd90+1
  Candidate: 2.6.1-2~nd90+1
  Version table:
 *** 2.6.1-2~nd90+1 500
        500 http://neuro.debian.net/debian stretch/main amd64 Packages
        100 /var/lib/dpkg/status

but apparently it is just a matter of --privileged docker execution! and then it works. So we can/should workout such an adapter and just document that it requires --privileged docker execution. Aspects to keep in mind

TODOs:

• Dockerfile to produce such proxy-to-singularity docker image/container
• scripts/singularity_cmd_via_docker helper
  • need for bind mounting paths into the docker container first to then be bind mounted into singularity... Since our helper has control over them (-W "$tmpdir" -H "$updir/binds/HOME" -B $PWD --pwd "$PWD") and we do not care to expose "outside" paths, as long as there is no more binds sneaked in into the call -- we should be all set to just bind mount $PWD, $updir/binds/HOME, and $tmpdir
  • (possibly?) need for mapping user ID into some internal to docker environment... may be even chmoding outputs upon completion? I had little to no experience with that yet, besides eventually chmodding those owned by root files ;) One approach could be to have a dedicated user within the "docker proxy" image, and bind current user to it?

related

• convert singularity images to docker containers: https://github.com/vsoch/singularity2docker

[mjtravers]

Here is a singularity Docker image provided by Singularityware and shared on Docker Hub:

singularityware/singularity:3.1