Virgo

JupyterLab with Apptainer

Victor Penso — Tue, 04 Jun 2024 22:00:00 GMT

Why Use JupyterLab?

JupyterLab ¹ is an excellent choice for scientific computing due to its flexibility, customization options, and ability to support a wide range of programming languages, libraries, and tools. Here are some reasons why you might choose to use JupyterLab and Jupyter Notebooks ² in scientific computing:

Ease of Use: JupyterLab is designed to be user-friendly, with features like auto-completion, syntax highlighting, and debugging capabilities that can help reduce the learning curve for new users.
Reproducibility: Jupyter Notebooks (.ipynb files) are self-contained documents that include code, output, and visualizations, making it easy to reproduce results and share them with others.
Easy Data Exploration: You can load and visualize various data formats, such as CSV, Excel, JSON, and more, using popular libraries like Pandas, NumPy, and Matplotlib.
Interactive Visualizations: Jupyter notebooks integrate with popular visualization libraries like Plotly, Bokeh, and Altair, enabling you to create interactive, web-based visualizations of your data.
Flexibility: Support of a wide range of programming languages, including Python, R, Julia, and MATLAB, allowing you to use the language that best suits your needs.
Version Control: You can use version control systems like Git to manage changes to your notebooks and collaborate with others.
Extensions for Specific Domains: There are many extensions available for JupyterLab that can help with specific tasks in scientific computing.

Jupyter Containers

The Jupyter team maintains the Jupyter Docker Stack ³ with corresponding public container images on DockerHub ⁴ and Quay ⁵. These container images can be use on any compute-cluster.

Login to a cluster submit node and start a JupyterLab container:

apptainer run docker://jupyter/base-notebook

The JupyterLab service daemon will print log information to the Terminal, including the connection address and a so called access token described in the next section.

Stop JupyterLab by pressing CTRL-C once you have finished working.

Access Token

stdout

# Information from the logs of the JupyterLab service
Or copy and paste one of these URLs:
    http://lxbk0725:12345/lab?token=598fb99446ce46996e9a74ea28bea3d2c7fd2591be4431f6
    http://127.0.0.1:12345/lab?token=598fb99446ce46996e9a74ea28bea3d2c7fd2591be4431f6

A Jupyter Access Token ⁶ like the example above is a secure, randomly generated string that authenticates and authorizes users to access JupyterLab notebooks and resources, providing an additional layer of security and control over notebook sharing and collaboration.

The access token includes the host name and port number required by the user to connect.

In the simplest case you can use the HTTP address which includes the host name of the executing node (lxbk0725 in the example above) to connect to JupyterLab with your web browser. In case you accessed the cluster from an external network you will need to setup SSH port forwarding as explained in the next section.

Remote Access

Access to JupyterLab from outside networks requires an additional step. SSH Port Forwarding is a technique that creates a secure, encrypted tunnel between your local machine and a remote server, allowing you to access the remote server’s services or applications as if they were running locally by forwarding specific ports from the remote server to your local machine.

Use SSH to configure port forwarding to Jupyter running on the cluster:

ssh -vv -N -L localhost:12345:lxbk0725.gsi.de:12345 virgo.hpc.gsi.de
# …logs will be print to the terminal …use ctrl-c to close

Once port forwarding has been started use the HTTP address with the IP address 127.0.0.1 (localhost) to connect to JupyterLab.

Build a Container

The following section implies that you want to add Jupyter to an existing container. Alternatively you could use the Jupyter Docker Stack as foundation and build from there by adding your components on top.

To integrate JupyterLab into your Apptainer container, you’ll typically extend an existing configuration that includes your working environment. Following assumes you have Python 3 available in our container and uses a Python virtual environment ⁷ to install JupyterLab.

Adding JupyterLab to an Apptainer Container Definition File ⁸:

apptainer.def

%post
# …add in an appropriate place in the post-section
mkdir /app
cd /app
python3 -m venv venv
. venv/bin/activate
# install JupyterLab including some extensions
pip3 install \
        jupyter \
        jupyterlab-spellchecker \
        jupyterlab-git \
        jupyterlab-lsp \
        'python-lsp-server[all]'

%environment
export JUPYTERLAB_PORT=54321

%runscript
. /app/venv/bin/activate
exec jupyter lab --no-browser --ip 0.0.0.0 --port $JUPYTERLAB_PORT

%startscript
. /app/venv/bin/activate
exec jupyter lab --no-browser --ip 0.0.0.0 --port $JUPYTERLAB_PORT

The example above prepares the use of apptainer instance ⁹ to manage your JupyterLab installation:

Apptainer, also allows you to run containers in a “detached” or “daemon” mode where the container runs a service. A “service” is essentially a process running in the background…

Following environment variables is used to set the service port:

Variable	Description
`JUPYTERLAB_PORT`	This defines the default port used when a JupyterLab instance is started. The configuration above sets the port to `54321`. Note that in case you share a host with other users you may be required to adjust the port number to avoid collisions.

Build the container and copy the image to shared storage:

1apptainer build apptainer.sif apptainer.def

# Make sure to store the container image on persistent storage for example Lustre
export LUSTRE_HOME=/lustre/$(id -ng)/$USER
export APPTAINER_CONTAINERS=$LUSTRE_HOME/containers
2cp apptainer.sif $APPTAINER_CONTAINERS/jupyterlab.sif

1: Build the Apptainer container image from the definition file ¹⁰
2: Copy the JupyterLab container images to your Lustre directory

Start the container instance on the current host:

1export APPTAINERENV_JUPYTERLAB_PORT=12345
2apptainer run $APPTAINER_CONTAINERS/jupyterlab.sif

1: Overwrite the default port configuration with an environment variable
2: Start your JupyterLab instance on the local node

Start a JupyterLab instance on a cluster node:

1export LUSTRE_HOME=/lustre/$(id -ng)/$USER ; cd $LUSTRE_HOME
2srun --nodes=1 --ntasks-per-node=1 --time=01:00:00 --pty bash -i

# …once your allocation has been granted
3export APPTAINER_CONFIGDIR=$LUSTRE_HOME/.apptainer
4apptainer instance start $LUSTRE_HOME/jupyterlab.sif jupyterlab

1: Configure your working directory, typically on shared storage
2: Allocate an interactive session on a compute node with srun
3: Make sure the Apptainer configuration path is located on writable storage
4: Start your JupyterLab instance on the compute node

Read the access token from the log-files of your JupyterLab instance:

>>> cat $APPTAINER_CONFIGDIR/instances/logs/$(hostname)/$USER/jupyterlab.err \
        | grep -o 'http.*lab?token.*' | sort | uniq
http://127.0.0.1:54321/lab?token=041ded5856f8bfe5202c5118027016f990390729ff7d0433
http://lxbk0724:54321/lab?token=041ded5856f8bfe5202c5118027016f990390729ff7d0433

Footnotes

Project Jupyter Documentation
https://docs.jupyter.org/en/latest↩︎
Jupyter Notebook Documentation
https://jupyter-notebook.readthedocs.io↩︎
Jupyter Docker Stacks
https://jupyter-docker-stacks.readthedocs.io
https://github.com/jupyter/docker-stacks↩︎
Jupyter Project, DockerHub
https://hub.docker.com/u/jupyter↩︎
Project Jupyter, Quay.io
https://quay.io/organization/jupyter↩︎
Security in the Jupyter Server
https://jupyter-server.readthedocs.io/en/stable/operators/security.html↩︎
Virtual Environments, Python Documentation
https://docs.python.org/3/library/venv.html↩︎
Apptainer Definition Files, Apptainer User Manual
https://apptainer.org/docs/user/main/definition_files.html↩︎
Instances - Running Service, Apptainer User Manual
https://apptainer.org/docs/user/main/running_services.html↩︎
Build a Container, Apptainer User Manual
https://apptainer.org/docs/user/main/build_a_container.html↩︎

Apptainer Containers Overview

Victor Penso — Tue, 28 Nov 2023 23:00:00 GMT

Questions

Why use containers?
What are container images?

Objectives

Learn how to use exiting containers
Understand container definition files

Using Apptainer

Apptainer ¹ enables users to interact with containers transparently. Execute programs inside a container (as if running on the host). Redirect I/O, use command pipes, pass arguments, access files, sockets and ports. Apptainer is updated regularly ² and most Linux distributions have packages available in their repositories. On Fedora for example, install Apptainer using the official apptainer package ³:

# install apptainer
sudo dnf install -y apptainer

# verify functionality
apptainer run docker://alpine

Users of MacOS and Windows can execute Linux containers in a virtual environment on their computer. It is not necessarily required to have Apptainer installed on your machine. Many HPC systems will have the apptainer command pre-installed, including the capability to build container images on the cluster nodes. However it is often preferable to use container images in the local environment as well, and copy them on-demand to a target HPC system. This approach ensures that you work with the exact same environment under all circumstance.

Why use containers?

Many applications in the HPC environment have become very complex in regards to software dependencies and details of configuration. For many years HPC infrastructure providers have struggled to build a common environment to facilitate the requirements of all user-communities on a single host platform. Containers enable complete decoupling of application environments from the host platform and other users. In addition containerization prevents any interference between user environments, an issue that created a lot of friction for cluster operations in the past.
Containers change the user environment into a swappable component. Allowing users to have a custom application environment “packaged” into a container image. This container image can be executed within any host that provides container support. Which includes their own computer and a growing number of HPC systems.
The most important benefit for users is the complete independence from the HPC host environment. This allows the freedom of choice to select any Linux distribution as a foundation for the container image. Furthermore users can install any combination of compilers, libraries and other software components in versions they require.
Most container images are build programmatically using definition files. This ties into the concepts and goals of reproducible science. Images can not only be preserved without any ties to the host infrastructure used for execution, but are based on a recipe detailing how the image was build in the first place.
Updates to both containerized applications and the host infrastructure are not interrelated. This benefits HPC administrators by enabling them to select the most suitable host environment to support the growing complexity of hardware. At the same time users can make changes to container images aligned with their scientific schedule and other boundary conditions.

Container Images

Sub-Command	Description
`pull`	Download a container image from a remote resource

What are container images?

A container images stores a file-system tree containing a software environment (compilers, frameworks, libraries, etc.) for a given application.
Additionally container images store configuration metadata used during container launch to create a desired application run-time environment.
Container images are typically read-only (immutable) snapshots, which makes them host independent and portable. They can be moved freely between different infrastructures, and are published in container registries.
New images are often derived from an existing image. Usually the container definition is maintained with a version control system.
It is easy to switch between multiple versions of container images simplifying the roll-out of updates and roll-back in case of problems.

The container image default format for Apptainer is called SIF (Singularity Image File), a compressed read-only container file, by convention suffixed with .sif. Download container images ⁴ from a remote location, for example a container registry like DockerHub, with apptainer pull. This downloads all require container layers and combines those layers into an image file stored to the container cache in the path ~/.apptainer/cache by default.

Many use-cases can build on an existing container images. Pre-build images are published by many organizations in a public container registry. A registry is centralized storage for container images. All container runtime systems (like Apptainer) have a standard way to download images from a registry. The most popular image registry is is DockerHub ⁵, the origin of a common protocol used to communicate with a container registry.

Environment Variable	Description
`APPTAINER_CONTAINER`	Absolute path to storage location for container images

# Set the path to a directoy storing container images...
export APPTAINER_CONTAINER=$LUSTRE_HOME/containers

# ...download a container image from a container registry
apptainer pull $APPTAINER_CONTAINER/jupyter.sif docker://quay.io/datascience-notebook:latest

Above example shows the download of a container image provided by Project Jupyter ⁶, pulled from a container registry called Quay (by RedHat) using the standard docker:// protocol. It is up to the users to select an appropriate image for their application. The recommendation is to use container images provided by the developer community of a given software ecosystem.

Interact with Containers

Sub-Command	Description
`exec`	Execute a command within a containerized environment
`shell`	Start an interactive shell session in a containerized environment

The Jupyter datascience-notebook container image downloaded in the previous section includes a Python environment supporting the NumPy package ⁷ for scientific computing. Users interact with container images ⁸ using a selection of Apptainer sub-commands. The sub-command exec executes a specified command within a container. Below a very simple Python program utilizing the NumPy package:

#!/usr/bin/env python

import numpy as np

array = np.array([
    [3, 7, 1],
    [10, 3, 2],
    [5, 6, 7]
])

print(np.sort(array, axis=1))

# Implement the NumPy program above in an example file...
$EDITOR example.py

# ...make the example file an executable program
chmod +x example.py

# Execute the Python program in the downloaded container image
apptainer exec $APPTAINER_CONTAINER/jupyter.sif ./example.py

The shell sub-command starts an interactive shell within a container:

>>> apptainer shell $APPTAINER_CONTAINER/jupyter.sif         
Apptainer> ipython
Python 3.11.6 | packaged by conda-forge | (main, Oct  3 2023, 10:40:35) [GCC 12.3.0]
Type 'copyright', 'credits' or 'license' for more information
IPython 8.16.1 -- An enhanced Interactive Python. Type '?' for help.

In [1]:

Build Containers

Sub-Command	Description
`build`	Build a new container image from a definition file

Create a new container image ⁹ with the help of a container definition file (or “def file” for short). The following example builds a container image for the GNU Hello ¹⁰ software, based on a definition file called hello.def:

BootStrap: docker
From: quay.io/fedora/fedora:latest

%labels
Maintainer John Snow <j.snow@example.com>

%post
version=2.12.1
archive=hello-$version.tar.gz

dnf install -y wget tar gzip gcc make
dnf clean all

wget https://ftp.gnu.org/gnu/hello/$archive
tar xvzf $archive -C /opt
rm $archive
cd /opt/hello-$version

./configure
make
make install

%runscript
/usr/local/bin/hello

Run the following command providing the container image name and the definition file as arguments to build a container image:

apptainer build $APPTAINER_CONTAINER/hello.sif hello.def

Test the functionality of the container image by executing the hello application in the container:

>>> apptainer run $APPTAINER_CONTAINER/hello.sif                
Hello, world!

>>> apptainer exec $APPTAINER_CONTAINER/hello.sif hello --version | head -n1
hello (GNU Hello) 2.12.1

Definition Files

Container images are build from a definition file ¹¹, basically a blueprint listing each step to install software components within the container. The files are divided into two parts:

The header defines the Linux distribution used as foundation to build the container image (root) file-system. We recommend to select the distribution best supported by the software you want to use.
The rest of the definition is comprised of sections to install additional software and configure the container run-time environment.

Header

The header at the top defines the base operating system used to build the container. The Bootstrap keyword is mandatory in the first line. This keyword supports multiple bootstrap agents ¹², for example the docker agent enables access to compatible container registries like DockerHub:

# ...from DockerHub
BootStrap: docker
From: fedora:latest

# ...from Quay (RedHat)
BootStrap: docker
From: quay.io/rockylinux/rockylinux:8

Sections

The second part of the definition file is broken into sections ¹³. Each section adds different content or executes commands at different times during the container image build (note that multiple sections of the same name can be included). The build option --section allows to limit execution to a specific section or sections. The table below presents a brief overview of all possible sections:

Section	Description
`%setup`	…executed on the host…before container build
`%files`	…copy files into the container before `%post`
`%post`	…install software…create configurations
`%test`	…validate the container
`%environment`	…define environment variables ¹⁴ (not made available at build time)
`%startscript`	…executed at `instance start` command
`%runscript`	…executed at `run` command
`%labels`	…add metadata to the file `/.singularity.d/labels.json`
`%help`	…help text…

The definition file below illustrates many sections as examples:

%setup
    touch /file1
    touch ${APPTAINER_ROOTFS}/file2

%files
    /file1
    /file1 /opt

%environment
    export LISTEN_PORT=12345
    export LC_ALL=C

%post
    apt-get update && apt-get install -y netcat
    NOW=`date`
    echo "export NOW=\"${NOW}\"" >> $APPTAINER_ENVIRONMENT

%runscript
    echo "Container was created $NOW"
    echo "Arguments received: $*"
    exec echo "$@"

%startscript
    nc -lp $LISTEN_PORT

%test
    grep -q NAME=\"Ubuntu\" /etc/os-release
    if [ $? -eq 0 ]; then
        echo "Container base is Ubuntu as expected."
    else
        echo "Container base is not Ubuntu."
        exit 1
    fi

%labels
    Author alice
    Version v0.0.1

%help
    This is a demo container used to illustrate a def file that uses all
    supported sections.

Local Images

Repeatedly building containers can become a time consuming process. Apptainer supports to build containers from local images. This enables to maintain a list of base containers as foundation for later reuse. Following definition builds a base-container from the latest Fedora release including developer tools, compilers and a selection of additional useful packages.

BootStrap: docker
From: quay.io/fedora/fedora:latest

%post

dnf install -y @development-tools \
      gcc-c++ gcc gcc-gfortran git git-delta gnupg2 \
      python3 python3-pip python3-setuptools python3-boto3 \
      psmisc rsync tmux tree wget unzip \
      bat curl fd-find fzf findutils \
      hostname iproute netcat neovim make patch \
dnf clean all

# ...build the container image
apptainer build fedora-base.sif fedora-base.def

Another container definition file can then reuse a local image with the following bootstrap configuration ¹⁵:

Bootstrap: localimage
From: fedora-base.sif

Note that Apptainer supports another mechanism called multi-stage build ¹⁶ in a single container definition file.

Container Cache

Environment Variable	Description
`APPTAINER_CACHEDIR`	Cache folder for images from a container registry.
`APPTAINER_TMPDIR`	Temporary directory to build container file-systems.

By default the container build cache is located in the directory $HOME/.apptainer. Details about the container build environment are available in the Apptainer User Guide ¹⁷. Pay attention to the storage consumed by the container cache, since the amount of available space may be limited depending on your environment.

# show storage capacity used by the cache
apptainer cache list

# ..detailed view
apptainer cache list -v

# clean up everything
apptainer cache clean

The environment variable listed in the table on top are used to configure the paths to the container caches. Following example stores all container artifacts on volatile storage in the /var/tmp directory by setting both variables:

# create a user working directory
pushd $(mktemp -d /var/tmp/$USER-apptainer-XXXXXX)

# locate all artifacts within this directory
export APPTAINER_TMPDIR=$PWD
export APPTAINER_CACHEDIR=$PWD

This is useful in make sure that all build-artifact don’t linger in your environment.

Test Sandboxes

Option	Description
`--sandbox`	Work with a container image (root)-filesystem

A sandbox provides a writable (ch)root directory to interactively work with a container image. This is obviously not a reproducible method to build an image, but it is helps testing during implementation of definition files:

# ...create a container within a writable directory
apptainer build --fix-perms --sandbox rootfs/ docker://quay.io/rockylinux/rockylinux:8

# ...make changes within the container
apptainer shell --writable --fakeroot --home $PWD rootfs/

# ...build a new container from the sandbox
apptainer build apptainer.sif rootfs/

Do not forget to delete the rootfs directory afterwards, since these can consume multiple Gigabytes of storage.

Docker Compatibility

Container build and runtime tools have a complex interrelationship and overlap of functionality. The most widely used container tools outside of HPC are Docker ¹⁸ and Podman ¹⁹, which are mostly compatible to each other. Chances are high that you will encounter projects providing a Dockerfile ²⁰ as container definition. Consider the example below for GNU Hello introduced previously:

FROM quay.io/fedora/fedora:latest

ARG version=2.12.1
ARG archive=hello-$version.tar.gz

RUN dnf install -y wget tar gzip gcc make
RUN dnf clean all

RUN wget https://ftp.gnu.org/gnu/hello/$archive
RUN tar xvzf $archive -C /opt
RUN rm $archive

WORKDIR /opt/hello-$version

RUN ./configure
RUN make
RUN make install

ENTRYPOINT /usr/local/bin/hello

The notation above differs significantly from an Apptainer definition file. In order to build a container image from a Dockerfile, use the build sub-command ²¹ of Podman. Please consult the corresponding documentations for more details.

# Build a container image using a `Dockerfile` in the working directory...
podman build -t hello .

# ...and execute the container image to test its functionality
podman run --rm -it localhost/hello:latest

For the purpose of this article it is interesting to understand the compatibility of Apptainer and Docker container images. Apptainer uses a different container format SIF, as discussed above. Fortunately it is easy to convert between both formats:

# Create an OCI container archive...
podman push localhost/hello:latest oci-archive:/tmp/hello-latest.tar

# ...and use this archive to create a SIF container image
apptainer build hello.sif oci-archive:/tmp/hello-latest.tar

The two commands above use an standardized container image format called OCI Image Layout ²² as intermediate step during conversion. There is a lot more details to the conversion then described here. We leave it to the reader to continue to investigate this.

Footnotes

Apptainer
https://apptainer.org↩︎
List of Apptainer Releases, GitHub
https://github.com/apptainer/apptainer/releases↩︎
Fedora Apptainer Package
https://src.fedoraproject.org/rpms/apptainer↩︎
Downloading Images, Apptainer User Guide
https://apptainer.org/docs/user/latest/quick_start.html#downloading-images↩︎
Container Registry, Docker Manual
https://docs.docker.com/registry/↩︎
Project Jupyter, Quay.io
https://quay.io/organization/jupyter↩︎
Numpy Package
https://numpy.org/↩︎
Interacting with Images, Apptainer User Guide
https://apptainer.org/docs/user/main/quick_start.html#interacting-with-images↩︎
Build a Container, Apptainer User Guide
https://apptainer.org/docs/user/main/build_a_container.html↩︎
GNU Hello
https://www.gnu.org/software/hello↩︎
Definition Files, Apptainer User Guide
https://apptainer.org/docs/user/main/definition_files.html↩︎
Bootstrap Agents, Apptainer User Guide
https://apptainer.org/docs/user/main/definition_files.html#other-bootstrap-agents↩︎
Sections, Apptainer User Guide
https://apptainer.org/docs/user/main/definition_files.html#sections↩︎
Environment and Metadata, Apptainer User Guide
https://apptainer.org/docs/user/main/environment_and_metadata.html#environment-and-metadata↩︎
Build Modules, Apptainer User Guide
https://apptainer.org/docs/user/main/appendix.html#build-localimage↩︎
Multi-Stage Builds, Apptainer User Guides
https://apptainer.org/docs/user/main/definition_files.html#multi-stage-builds↩︎
Apptainer User Guide - Build Environment
http://apptainer.org/docs/user/main/build_env.html#cache-folders↩︎
Docker Documentation
https://docs.docker.com/↩︎
Podman Documentation
https://podman.io/docs↩︎
Dockerfile Reference, Docker Documentation
https://docs.docker.com/engine/reference/builder/↩︎
Podman Build Manual Page
https://docs.podman.io/en/latest/markdown/podman-build.1.html↩︎
OCI Image Layout Specification, Open Containers Initiative
https://github.com/opencontainers/image-spec/blob/main/image-layout.md↩︎

Policy-based routing on the cluster at GSI

Sören Fleischer — Thu, 23 Nov 2023 23:00:00 GMT

The cluster at GSI

GSI has a cluster located within the Green IT Cube.

It features

A number of worker nodes a.k.a. execution nodes a.k.a. number crunchers
A number of storage machines which constitute a Lustre file system, which is mounted on the worker nodes
A Slurm instance to manage computing workloads.

All of these machines are connected to an IPoverIB InfiniBand network with private IPs.

This cluster is meant to be serving multiple computing/storage use cases, for example for

Current experiments at GSI
Future experiments at GSI/FAIR
Individual users at GSI/FAIR
Short-lived or long-lived collaborations with remote institutions

There is typically no partitioning of the worker nodes by user/group/experiment. Which means anyone’s computing payload can be executed on any worker node.

In general, the network policy for the cluster machines’ network is:

Nothing in
Nothing out

The problem

However, some experiments, such as ALICE at CERN, have, for better or worse, designed their computing workflows in such way that the computing payload requires to connect to the outside world during runtime.

Since the collaboration with ALICE is too important to be subject to the cluster’s network policy, an exception needed to be implemented.

A solution needs to fulfil at least the following requirements

The outgoing connections from ALICE computing payloads MUST be permitted
Any outgoing connection from other processes MUST fall into the default routing workflow
Outgoing connections MUST be NATed for internet-routability.
The mechanism MUST be transparent for ALICE as well as for other users of the cluster
The mechanism SHOULD be efficient
The mechanism SHOULD be fault-tolerant

The solution

The following is an extremely simplified illustration of the default network situation around the cluster.

Diagram showing worker nodes connected to a single default gateway router, with a firewall blocking outgoing traffic

There is only one router, and it each worker node has configured it as its default gateway.

That router sends the packets it received to its default gateway, heading for the firewall, which drops packets attempting to connect to the outside.

The solution is a mechanism which consists of two parts.

Worker Node Configuration

On each worker node

The connections made by the ALICE computing payload are marked (iptables terminology) by selecting by the UID or GID of the process
The Linux kernel gets instructed to use a different routing table for packets with that specific mark
The special routing table most importantly involves a different default gateway

Specifically, we configure a special routing table:

/etc/iproute2/rt_tables

#
# reserved values
#
255 local
254 main
253 default
0   unspec
#
# local
#
#1  inr.ruhep
201 alinat

We set the iptables marking mechanism as well as the ip rule mechanism in a systemd unit file.

/etc/systemd/system/route.service

[Unit]
Description=Routing Configuration
Requires=network-online.target
Wants=systemd-networkd-wait-online.service sssd.service
After=network-online.target sssd.service

[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=-/usr/sbin/iptables -t mangle -D OUTPUT -p tcp -m owner --uid-owner aliprod  -j MARK --set-mark 1
ExecStart=-/usr/sbin/iptables -t mangle -D OUTPUT -p tcp -m owner --uid-owner alise    -j MARK --set-mark 1
ExecStart=-/usr/sbin/iptables -t mangle -D OUTPUT -p tcp -m owner --gid-owner alice    -j MARK --set-mark 1
ExecStart=/usr/sbin/iptables -t mangle -A OUTPUT -p tcp -m owner --uid-owner aliprod  -j MARK --set-mark 1
ExecStart=/usr/sbin/iptables -t mangle -A OUTPUT -p tcp -m owner --uid-owner alise    -j MARK --set-mark 1
ExecStart=/usr/sbin/iptables -t mangle -A OUTPUT -p tcp -m owner --gid-owner alice    -j MARK --set-mark 1
ExecStart=-/usr/sbin/ip rule del fwmark 1 table alinat
ExecStart=-/usr/sbin/ip r flush table alinat
ExecStart=/usr/sbin/ip rule add fwmark 1 table alinat
ExecStart=/usr/sbin/ip r add 10.20.0.0/16 dev ib0 table alinat
ExecStart=/usr/sbin/ip r add 10.20.1.0/24 dev ib0 table alinat
ExecStart=/usr/sbin/ip r add 10.10.24.0/24 via 10.20.0.1 dev ib0 table alinat
ExecStart=/usr/sbin/ip r add 140.181.2.0/24 via 10.20.0.1 dev ib0 table alinat
ExecStart=/usr/sbin/ip r add 140.181.60.0/24 via 10.20.0.1 dev ib0 table alinat
ExecStart=/usr/sbin/ip r add default via 10.20.3.227 dev ib0 table alinat
ExecStop=-/usr/sbin/iptables -t mangle -D OUTPUT -p tcp -m owner --uid-owner aliprod  -j MARK --set-mark 1
ExecStop=-/usr/sbin/iptables -t mangle -D OUTPUT -p tcp -m owner --uid-owner alise    -j MARK --set-mark 1
ExecStop=-/usr/sbin/iptables -t mangle -D OUTPUT -p tcp -m owner --gid-owner alice    -j MARK --set-mark 1
ExecStop=/usr/sbin/ip rule del fwmark 1 table alinat
ExecStop=/usr/sbin/ip r flush table alinat

[Install]
WantedBy=multi-user.target

You can see that in the unit file above in the ExecStart lines, we first perform the actions of ExecStop there, but we allow them to fail without letting the unit fail by using systemd’s =- syntax.

Using that trick, the unit file gets the desirable property of idempotence, which means it can be executed any number of times and will always achieve the same desired state of the specified items.

Consequently,

The unit does not fail it it gets started or restarted while iptables and ip are already configured correctly
In case the configuration of iptables or ip gets changed (for example if a network interface goes down and up again) and the systemd unit does of course not notice it, a restart of the unit will recover the configuration of iptables and ip.

NAT Router Configuration

The second part is a machine functioning as a router. Routers connect networks, so that machine needs to have at least 2 network interfaces. One in the network with the worker nodes, and one in a network with public IPs. In our case, that network is 140.181.2.0/24 and we call it brokernetz.

That machine must be configured to act as a router. From a Linux point of view, that means that IP forwarding needs to be enabled. It may be desirable to restrict it to the network interface combinations that you want to allow. In our case, we want to allow forwarding between the IPoverIB network on interface ib0 and the 10GbE interface eth9.

Specifically, we configure IP forwarding:

[root@alinat1 ~]# cat /etc/sysctl.d/10-alinat.conf 
net.ipv4.ip_forward = 1

And use nftables to define between which interfaces we want to route packets.

[root@alinat1 ~]# nft list ruleset
table inet table1 {
    chain input {
        type filter hook input priority filter; policy accept;
    }

    chain forward {
        type filter hook forward priority filter; policy drop;
        iifname "ib0" oifname "eth9" accept
        iifname "eth9" oifname "ib0" accept
    }

    chain output {
        type filter hook output priority filter; policy accept;
    }
}
table ip tablenat {
    chain postrouting {
        type nat hook postrouting priority srcnat; policy accept;
        oifname "eth9" masquerade
    }

    chain prerouting {
        type nat hook prerouting priority dstnat; policy accept;
    }
}

That way we have a special router which routes the packets originating from the ALICE payloads on the cluster headed for the internet.

Diagram showing an additional NAT router handling ALICE traffic alongside the default gateway

For ALICE we have several xrootd data servers which are dual-homed as well. They have an IPoverIB interface to be able to access Lustre, as well as a 10GbE interface in the brokernetz to be reachable from the Internet.

That happens to be just the network configuration of our NAT router.

To increase fault tolerance, we configured each of them to be a NAT router as well. However, only at most one of them is active at a given time. Under normal circumstances, that means exactly one machine plays the role of the NAT router.

For that we use keepalived. It is a daemon that utilizes the Virtual Router Redundancy Protocol (VRRP).

We configure keepalived on each of these machines to define a virtual router (keepalived terminology) with exactly one “virtual” IP address. Each keepalived daemon gets configured to have a specific priority. They then communicate with one another and figure out which one of the alive daemons has the highest priority. The one with the highest priority will claim the virtual IP, which is the IP configured on all worker nodes on the cluster.

Diagram showing multiple redundant NAT routers managed by keepalived, sharing a virtual IP

That way, even when the primary NAT router fails, the machine with the at that point in time highest priority will take over.

Any of the NAT routers can be rebooted or otherwise taken offline without resulting in any unavailability of the NAT mechanism as long as at least one of them is still operational.

Conclusion

This setup has proven to have an excellent specificity and sensitivity, which is to say there have not been any observed false positives or false negatives w.r.t. which packets get routed to our NAT router vs the normal default gateway.

Secondly, it is extremely efficient. Even when saturating the 10GbE link there is hardly any noticable CPU usage on the NAT router.

Also, it is reliable and probably the most fault-tolerant component in our ALICE setup.

There is slight operational room for improvement on the worker node side. In case the InfiniBand network goes down and up again, the IP address disappears and all routes with it. Currently we do not automatically recover from that fault, but we detect it and manually need to restart route.service. This could theoretically be further automated.

The ALICE Analysis Facility at GSI

Raffaele Grosso — Tue, 14 Nov 2023 23:00:00 GMT

The context

High Energy Physics experiments at big accelerators require to search for special signals in a “haystack” of background noise. The whole of the RAW data (data read out from the detectors’ electronics) is firstly processed by complex algorithms in order to be interpreted as tracks of primary particles or of their decay products and the actual physics analysis later consists on applying clever cuts for selecting interesting candidates, for example combinations of two tracks, in the whole track background, for example in the huge combinatorial background of all track pairs of a collision event (proton-proton, lead-lead, proton-ion, …). For the results to be significant the search has to be carried over a huge amount of collisions, which is the reason why accelerators are challenged to provide an always higher rate of collisions and the computing infrastructure is challenged to be capable to process always bigger volumes of data per unit of time.

To efficiently store and process such huge amount of data, computing resources distributed worldwide have been organized in a hierarchy of sites playing different roles according to the computing model of the pertaining experiment with the aim of finding the best trade-off between centralization and distribution of resources to minimize data storage and data processing costs.

Moving from Run 2 to Run 3 (started in summer 2023) the ALICE experiment ¹ at the CERN LHC is facing the challenge of processing a raw data throughput from the detector bigger than 1.1 TB/s, twenty times bigger then in Run 2, due to the increased luminosity – a way to measure the collision rate per cross section unit – provided by the accelerator and to the continuous readout, that is to taking data without a trigger upstream of the detector. The peak data rate of 1.1 TB/s is reached in lead-lead collisions at 50 kHz interaction rate. This is the setting for big changes in the ALICE computing model for Run 3, based on the necessity to maximize the compression of the data volume read out from the detectors synchronously with data taking, that is performing a first calibration and reconstruction pass online in order to drastically reduce the the amount of data to be stored (down to 50 GB/s).

The GSI contribution to ALICE computing in Run 3

GSI is one of the ALICE Grid sites and provides computing and storage resources (several PB and several thousands cores) to the ALICE experiment. The amount and mode of integration of these resources in the global framework of the experiment results from the computing requirements ² and is reviewed on a yearly bases to account for the current needs and possibilities. As anticipated above the data throughput from the detector has drastically increased from Run 2 to Run 3 leading to big changes in the ALICE data processing model in particular to anticipate as much as possible the calibration and reconstruction just after the read out, before storing and archiving the data. This has also implied a reorganization of the role played by the Grid sites, in particular to minimize the displacement of data and to maximize the proximity of computing jobs to their input data. In Run 2 the GSI site has been a Tier 2 in the ALICE Grid, meaning a site at the second level in the Grid hierarchy, where the first level – Tier 1 – includes some big computing facilities (GridKA in the case of Germany) and the upper level – Tier 0 – are the central facilities very closed to the detector itself. As a Tier 2 site GSI resources have been used in the context of the Run 2 computing model for central simulations, central analysis and user analysis jobs. In the data processing of Run 3 the role of the different sites is more specialized and GSI becomes an Analysis Facility (AF), whose focus is in being able to process a large amount of data in a short time (up to 5 PB in 12 hours, or equivalently 100 GB/s) providing fast analysis validation an cut tuning.

How are GSI resources integrated in the ALICE Grid

As the other big High Energy Physics experiments at the LHC, ALICE generates data volumes whose storage and processing require to be distributed on many sites. The ALICE Grid middleware JAliEn ³ allows to represent world-wide spread resources under a single interface transparently to the user, who sees a single namespace for files and a single resource manager for computing jobs. For this to happen each Grid site maintains dedicated services and servers which make the storage and computing resources at the site (Storage Element and Computing Element) centrally accessible.

Local and global storage

The following analogy can help to visualize the software stack: a file system local to a machine represents bits on the storage device as logical entities (files) occupying a place in a logical structure (file tree). Similarly, one level above, a parallel file system manages data distributed on several storage devices transparently presenting to the user a single global namespace. Similarly, and as the next level of abstraction, a Grid file system reads and writes data to Storage Elements distributed world wide presenting the underlying files under a single global namespace to the user, who does not need to be aware of anything about the physical location of files. This upper level of abstraction is based on centrally maintained databases which map the files’ name and logical position in the global namespace, the Logical File Name (LFN), to the files’ name at the underlying, the Physical File Names (PFN) of one or more replicas at one or more Storage Elements corresponding to that LFN. It is also based on local services at each SE to “bridge” the local distributed file system to the central services. User queries for LFNs translate into remote queries to replicas at GSI and are served by locally maintained XRootD ⁴ redirectors and data servers which in turn query the local parallel file system Lustre ⁵.

Global namespace for ALICE files

Local and global jobs

With respect to jobs and compute resources another similar analogy holds: a job scheduler in the operating system of a machine allocates resources (RAM and CPU) to many different processes organized in prioritized queues. One level above a resource manager does the same with jobs submitted by users on the resources of a cluster. And, one level above, the Grid services of the experiment queue, distribute and monitor jobs submitted by users who don’t need to know on which CPUs at which site their job has run.

ALICE jobs queue

This additional level of abstraction requires of course some services to communicate requests and availability between the global ALICE Grid instance and the single computing sites. It also requires users to submit jobs via a small file describing in a standardized way the job’s needs, as for example input files to be processed, required packages, single or multi core execution, required memory, expected time to live. The central services interact with servers at the sites called VoBoxes which in turn spawn ALICE jobagents on the local workload manager, in the form of Slurm ⁶ jobs in our case. Finally the job agents communicate with the central services in particular to pull ALICE jobs.

VoBox and job submission

The detailed and more precise workflow of how AliEn jobs are run on worker nodes is detailed in the second part of this presentation⁷. One can see that actually the JobAgent is launched by a JobRunner to account for multicore execution. The JobAgent in turn launches a JobWrapper which finally executes the actual AliEn job. The main duty of the JobAgent is to ask the Task Queue for a matching job and launch in a container if possible a JobWrapper according to the “payload” (job ID, JDL and job token) received from the central services. If you are still not lost in the many layers of abstraction presented up to now, it is worth mentioning that the startup script executed on the WN is encrypted and embedded in the slurm-submit script received by the VoBox and submitted to Slurm. Here it is modified before being sent in order to accommodate it to the network configuration specific to our cluster by unsetting the proxy-related environment variables.

Some technical challenges and our solutions

The aim of the middleware is to link local resources and central services transparently for the users and painlessly for the local and central admins. Nevertheless we had some issues to be solved, mostly related to the peculiarity of providing resources on shared, non-dedicated systems (our storage instance of Lustre and our cluster Virgo). Hereafter we mention a couple of these issues and describe how we solved them.

The VoBox is not in the cluster

An assumption of the experiment’s middleware is that the VoBox is internal to the cluster and in particular that it runs on a machine where the Slurm client is installed. The VoBox however runs services which require to be accessible from the Internet, which is not the case for the GSI cluster’s network. Therefore the VoBoxes of the GSI site run on a machines outside of the cluster’s network on which the Slurm client is not installed. The Slurm commands issued by the VoBox (squeue, sbatch, …) must be somehow sent to a node which is instead able to query the Slurm servers. Our solution is to “wrap” these commands in a corresponding executable which prepends them with an ssh to a submit node of the cluster. These executables are located in /usr/local/bin so that they are found in the $PATH and as first instances.

Remaining space on Lustre

The space for the ALICE SE at GSI is made available on the local shared storage of Lustre and reserved by means of its quota administration tools (lfs setquota). However the assumption of the middleware is to query the space on a dedicated storage. To overcome this problem an XRootD plug-in was implemented and is installed, which overwrites the XRootD implementation of space usage queries with queries to the Lustre quota API. In this way the available space on Lustre is checked correctly accounting for the quota reserved to ALICE.

The worker nodes are firewalled

ALICE jobs running on the worker nodes need to access the Internet to communicate with the central services and to get files from remote storage elements. This queries however would be blocked by the firewall. Therefore this outgoing traffic has to be redirected bypassing the firewall. Our solution is to make use of policy based routing and natting as described in one of the next blog contributions.

Optimize file access at the local Storage Element

Access to the local storage resources by jobs on the Grid is provided by local services and in particular by the XRootD redirectors and data servers. When a read or write query from a client for a file located at Storage Element at GSI reaches the redirector, it queries in turn the data servers, it gets back possibly the reply by at least one of them and forwards the data server’s address to the client. The client can then communicate directly with the data server which get the file from the underlying storage (Lustre) to ship it to the client. In this data flow there is room for improvement when the client and the SE storing the file are at the same site. This important optimization has been implemented in an XRootD plug-in as described in another blog contribution.

Footnotes

The ALICE Experiment at the LHC
https://home.web.cern.ch/science/experiments/alice↩︎
ALICE upgrades during the LHC Long Shutdown 2
https://arxiv.org/pdf/2302.01238.pdf#subsubsection.5.4.3↩︎
JAliEn
https://jalien.docs.cern.ch/↩︎
XRootD
https://xrootd.slac.stanford.edu/↩︎
The Lustre file system
https://www.lustre.org/↩︎
Slurm overview https://slurm.schedmd.com/overview.html↩︎
JAliEn job execution workflow https://indico.cern.ch/event/877541/contributions/3697557/attachments/1967641/4324980/T1T2_2022.pdf↩︎

Plasma PIC with Apptainer Containers

Denis Bertini — Mon, 13 Nov 2023 23:00:00 GMT

Software Stack

Container images are all built with RockyLinux 8.8 ¹ in alignment with the host platform of the compute cluster. Each container image provides a self-consistent environment to perform PIC simulation using either EPOCH ² or WarpX ³. The environments have been tested and validated for full speed InfiniBand interconnect communication and Lustre file-system optimised MPI I/O. Containers provide the latest versions the PIC codes and dependencies, which includes:

Linux RockyLinux 8.8 with Lustre Client v2.15.3 ⁴
OpenMPI v5.0.0 ⁵, PMix v4.2.7 ⁶, UCX v1.15.0 ⁷
I/O Libraries HDF5 v1.14 ⁸ and ADIOS2 v2.9.1 ⁹
EPOCH v4.19.0 ¹⁰ and WarpX v23.10 ¹¹
Python v3.6.8 with scientific packages (Numpy , Matplotlib, etc.) and SDFUtils bindings for EPOCH

All Apptainer container definition files ¹² are available to users in a GitLab repository in sub-directory defs/. Use the definition files to build the containers and provide feedback using GitLab issues:

Repository	URL
pp-containers	https://git.gsi.de/d.bertini/pp-containers

Container Images

Ready to use container images are provided to the cluster on CVMFS in the directory /cvmfs/phelix.gsi.de/sifs/. The latest images are stored in the development dev/ sub-directory for validation from the user community. After validation, images are moved to the production prod/ sub-directory, replacing the previous versions preserved for reference in the old/ sub-directory. The directory structure looks similar to the following example:

>>> tree /cvmfs/phelix.gsi.de/sifs
.
├── cpu
│   ├── dev
│   │   ├── rlx8_ompi5_ucx_cma.sif
│   │   ├── rlx8_ompi5_ucx_dask.sif
│   │   ├── rlx8_ompi5_ucx_gcc13_cma.sif
│   │   ├── rlx8_ompi5_ucx_gcc13.sif
│   │   └── rlx8_ompi5_ucx.sif
│   ├── old
│   └── prod
│       ├── rlx8_ompi_ucx_gcc12.sif
│       └── rlx8_ompi_ucx.sif
└── gpu
    ├── dev
    │   └── rlx8_rocm-5.7.1_warpx.sif
    ├── old
    └── prod
        ├── rlx8_rocm-5.4.6.def
        ├── rlx8_rocm-5.4.6.sif
        ├── rlx8_rocm-5.4.6_warpx.def
        ├── rlx8_rocm-5.4.6_warpx.sif
        ├── ubuntu-20.04_rocm-5.4.2_picongpu.def
        ├── ubuntu-20.04_rocm-5.4.2_picongpu.sif
        ├── ubuntu-20.04_rocm-5.4.2_warpx.def
        └── ubuntu-20.04_rocm-5.4.2_warpx.sif

The file names for container image reflect the base Linux distribution, and compiler and library versions. For example RockyLinus 8 with the default compiler GCC 8.5:

/cvmfs/phelix.gsi.de/sifs/cpu/dev/rlx8_ompi5_ucx.sif
/cvmfs/phelix.gsi.de/sifs/cpu/dev/rlx8_ompi5_ucx_cma.sif
/cvmfs/phelix.gsi.de/sifs/cpu/dev/rlx8_ompi5_ucx_dask.sif

Similar but with a recent GCC 13.2:

/cvmfs/phelix.gsi.de/sifs/cpu/dev/rlx8_ompi5_ucx_gcc13.sif
/cvmfs/phelix.gsi.de/sifs/cpu/dev/rlx8_ompi5_ucx_gcc13_cma.sif

Getting Started

In order to use a container image of your choice, login to the (non-VAE) cluster submit nodes. These nodes grant access to the bare-metal environment enabling users to launch custom container instance:

# ...login to a (bare-metal) submit node
ssh $USER@virgo.hpc.gsi.de

# ...selecting a RockyLinux 8 container with GCC 8.5.0
export APPTAINER_CONTAINER=/cvmfs/phelix.gsi.de/sifs/cpu/dev/rlx8_ompi5_ucx.sif

# ...bind storage directories to the container
export APPTAINER_BINDPATH=/lustre/rz/<username>/,/cvmfs
export OMPI_MCA_io=romio341

# ...run an application within a container instance
echo "." | srun --export=ALL -- $APPTAINER_CONTAINER epoch3d

MPI Communication

The cluster utilizes Apptainer as container engine in non-setuid mode ¹³ by default. Using non-setuid mode offers several advantages. It enables unprivileged users to build their own containers without requiring any configurations from system administrators. In non-setuid mode, each processes spawned by MPI runs in a dedicated user-namespace which prevent any intra-node optimizations (for example POSIX shared memory or cross memory attach).

A possible workaround is to use a container as service approach ¹⁴ to run a single container instance per node. All MPI processes “join” this instances sharing one user-namespace. Following example illustrates how to adapt a typical EPOCH submit script in order to use a single Apptainer instances per node. Launch of the application is build with two scripts. The batch script run-file-cma.sh:

#!/bin/bash

echo "." | srun  --export=ALL  ./epoch3d.sh

A second script epoch3d.sh first checks if a container instance already exist on the node, otherwise it starts an instance. All consecutive MPI processes created on the node will then “join” the same container instance before execution:

#!/bin/bash

export APPTAINER_CONTAINER=/cvmfs/phelix.gsi.de/sifs/cpu/dev/rlx8_ompi5_ucx_cma.sif
export APPTAINER_CONFIGDIR=/lustre/rz/$USER/apptainer 

export OMP_NUM_THREADS=1
export OMPI_MCA_io=romio341

export EPOCH_EXE=epoch3d

nb_instances=`flock -x /tmp apptainer instance list $SLURM_JOB_ID | grep $SLURM_JOB_ID | wc -l`

if [ $nb_instances -eq 1 ]
then
        echo "Instance already created:  join ..." $nb_instances $SLURMD_NODENAME  
        apptainer exec instance://$SLURM_JOB_ID $EPOCH_EXE 
else
        apptainer instance list $SLURM_JOB_ID | grep $SLURM_JOB_ID | wc -l
        echo "Instance not created:  create it ..." $nb_instances $SLURMD_NODENAME
        flock -o -x /tmp \
              apptainer instance start  -B /lustre -B /cvmfs $APPTAINER_CONTAINER $SLURM_JOB_ID
        apptainer exec instance://$SLURM_JOB_ID $EPOCH_EXE
fi

The scripts above are available in the scripts/cma/ sub-directory of the pp-container repository. Note that race conditions when querying for a container instance are prevented by requiring an advisory lock via the Linux flock command.

Interactive Usage

Once you data is produced you can do analysis using the same containerized environment since it also provide the necessary python libraries:

>>> apptainer exec /cvmfs/phelix.gsi.de/sifs/cpu/rlx8_ompi_ucx.sif bash -l  
Centos system profile loaded ...
Apptainer> python3 --version
Python 3.6.8
Apptainer> python3
Python 3.6.8 (default, Feb 21 2023, 16:57:46) 
[GCC 8.5.0 20210514 (Red Hat 8.5.0-16)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import numpy
>>> import matplotlib
>>> import sdf
...

GPU Containers

A dedicated container images provides the latest WarpX 23.11 used with the cluster gpu partition. The image is built on top of the standard RockyLinux container adding latest Radeon Open Compute (ROCm) ¹⁵ from AMD. The image has been tested on the AMD MI 100 GPUs available on the gpu partition. The gpu_scripts/ sub-directory in the pp-container repository provides example batch scripts to launch a batch job on GPUS:

#!/bin/bash

# Define container image and working directory
export CONT=/cvmfs/phelix.gsi.de/sifs/gpu/dev/rlx8_rocm-5.7.1_warpx.sif
export WDIR=/lustre/rz/<username>/gpu/warpx

# Define I/O module for openMPI 
export OMPI_MCA_io=romio341

# Definie apptainer external filesystems bindings 
export APPTAINER_BINDPATH=/lustre/rz/<username>/,/cvmfs

# Executable with dimentionality and corresponding input deck file.
srun --export=ALL -- $CONT warpx_2d  $WDIR/scripts/inputs/warpx_opmd_deck

Install Software

Install additional packages and software using the provided container images as foundation. Build software within a container environment by stating a container instance for an infective session. The apptainer> prompt indicates the containerized environment. Load your Bash profile by running the bash command (note that your home-directory is automatically mounted to the container):

# ...set an environment variable with the path for the container image to use
export APPTAINER_CONTAINER=/cvmfs/phelix.gsi.de/sifs/cpu/dev/rlx8_ompi5_ucx_cma.sif

# ...start the container mounting shared storage (if required)
apptainer exec $APPTAINER_CONTAINER -B /lustre -B /cvmfs bash -l
Apptainer> 

# ...load your Bash profile
Apptainer> bash
[<username>@lxbk1130 /lustre/rz/<username>]$

You can check for example which version are available within the environment:

>>> g++ --version
g++ (GCC) 8.5.0 20210514 (Red Hat 8.5.0-18)
Copyright (C) 2018 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

>>> ompi_info | grep ucx
  Configure command line: '--prefix=/usr/local' '--with-pmix=/usr/local' '--with-libevent=/usr' '--with-ompi-pmix-rte' '--with-orte=no' '--disable-oshmem' '--enable-mpirun-prefix-by-default' '--enable-shared' '--without-verbs' '--with-hwloc' '--with-ucx=/usr/local/ucx' '--with-lustre' '--with-slurm' '--enable-mca-no-build=btl-uct' '--with-cma=no'
                 MCA osc: ucx (MCA v2.1.0, API v3.0.0, Component v5.0.0)
                 MCA pml: ucx (MCA v2.1.0, API v2.1.0, Component v5.0.0)

Installation additional software to Lustre shared storage and use it with a batch script similar to:

export APPTAINER_CONTAINER=/cvmfs/phelix.gsi.de/sifs/cpu/dev/rlx8_ompi5_ucx_cma.sif
export APPTAINER_BINDPATH=/lustre/rz/<username>/,/cvmfs
export SLURM_WORKING_DIR=/lustre/rz/<username>/warpx
export OMPI_MCA_io=romio321

srun --export=ALL \
      -- apptainer exec -B /lustre -B /cvmfs $APPTAINER_CONTAINER \
      $my_executable $options

Footnotes

RockyLinux 8.8 Release
https://rockylinux.org/news/rocky-linux-8-8-ga-release↩︎
EPOCH, GitHub
https://github.com/Warwick-Plasma/epoch↩︎
WarpX, GitHub
https://github.com/ECP-WarpX/WarpX↩︎
Lustre Client for Enterprise Linux 8.8, Whamcloud
http://downloads.whamcloud.com/public/lustre/lustre-2.15.3/el8.8/client↩︎
OpenMPI v5, OpenMPI Project
https://www.open-mpi.org/software/ompi/v5.0↩︎
OpenPMIx, GitHub
https://github.com/openpmix/openpmix↩︎
UCX, GitHub
https://github.com/openucx/ucx↩︎
HDF5 Library, The HDF Group
https://www.hdfgroup.org/solutions/hdf5/↩︎
ADIOS2, GitHub
https://github.com/ornladios/ADIOS2↩︎
EPOCH v4.19.0, GitHub
https://github.com/Warwick-Plasma/epoch/releases/tag/v4.19.0↩︎
WarpX Development Branch, GitHub
https://github.com/ECP-WarpX/WarpX/tree/development↩︎
Definition Files, Apptainer User Guide
https://apptainer.org/docs/user/main/definition_files.html↩︎
Security in Apptainer, Apptainer User Guide
https://apptainer.org/docs/user/main/security.html↩︎
Running Services, Apptainer User Guide
https://apptainer.org/docs/user/1.0/running_services.html↩︎
AMD ROCm™ platform, GitHub
https://github.com/RadeonOpenCompute/ROCm↩︎

Using Python on the Compute Cluster

Matteo Dessalvi — Thu, 12 Oct 2023 22:00:00 GMT

This article describes three options for users to configure a custom Python environment to be used with the compute cluster. These options are:

Use of an Apptainer ¹ Container
Use of Conda-Forge ²
Use of a Python Virtual Environment

Using a containerized Python is recommended if no dependencies other then the Python interpreter and its related ecosystem are required. Note that custom containers do not provide any software available from the virtual application environments. In case users are interested in more details then described in this article, we recommend corresponding material from HPC Carpentry for Python ³ and the Python HPC Community ⁴.

Apptainer Container

Depending on the target hardware different container images are recommended:

For CPU workloads JupyterLab ⁵ containers are the best choice in terms of options available, e.g. frameworks like TensorFlow, Scipy, Spark or languages like Julia or R. Please refer to the official documentation ⁶ in order to see which container may be better suited for your application.
For GPU workloads it is preferable to use container images provided by either the AMD Infinity Hub ⁷ or the NVIDIA Registry ⁸ for the respective hardware.

A simple array example which uses NumPy:

#!/usr/bin/env python

import numpy as np

array = np.array([
    [3, 7, 1],
    [10, 3, 2],
    [5, 6, 7]
])
print(array)
print()

# Sort the whole array
print(np.sort(array, axis=None))

# Sort along each row
print(np.sort(array, axis=1))

# Sort along each column
print(np.sort(array, axis=0))

Pull the JupyterLab data-science container from Docker Hub:

apptainer pull docker://jupyter/datascience-notebook:latest

Test the container interactively with the previous script:

apptainer exec datascience-notebook.sif numpy_array.py

Refer to the container section in the Virgo User Guide for instructions on how to submit an container as batch job on the compute cluster.

Conda-Forge

Alternative to a container it is possible to install a standalone Python installation using Conda-Forge, a community-driven installer for Python. Note that Anaconda and Miniconda should not be used on the cluster infrastructure due its licence!

Anaconda Inc. Licence Terms of Service

In the end of 2020 Anaconda Inc. updated its licence terms of service ⁹. The change is targeted primarily thwarts commercial companies. Despite being a scientific institute GSI is not qualified for a non-commercial license unfortunately. As a consequence to that:

Use of the default Anaconda package channels is not allowed!

The terms of service change does not apply to Conda-Forge, nor to other channels hosted on anaconda.org ¹⁰. It applies only to the default channel and other software hosted on repo.anaconda.com ¹¹. We kindly ask and strongly recommend to use Conda-Forge for your Python based projects.

Installation

Download the latest version of Miniforge ¹² and perform the installation, as exemplified below. If a prefix is not specified with the APP_DIR environment variable, then Miniforge will be installed in your home-directory by default:

# Download the installer...
curl -OL https://github.com/conda-forge/miniforge/releases/latest/download/Miniforge3-Linux-x86_64.sh

# ...set a prefix environment variable
APP_DIR="~/opt/conda"
# ...run the install passing the prefix as option
/bin/sh Miniforge3-Linux-x86_64.sh -b -p ${APP_DIR}

# ...load the installation into your shell environment
source ${APP_DIR}/etc/profile.d/conda.sh

The source command will add the conda executable to the $PATH environment variable. Use conda command to manage the environment…

# ...modifies your shell prompt and show (base) as prefix
conda activate

# ...print information about Conda
conda info

# ...remove Conda from your shell environment
conda deactivate

Usage

Search and install Python packages…

# ...search for packages
conda search $package_name

# ...install a package with a specified version...
conda install pytorch=2.0.0=cpu_py39he4d1dc0_0

Work with environments…

# create a new environment with basic options
conda create -n $env_name

# switch to the newly created environment
conda activate $env_name

# install packages within the environment
conda install $package_name

# list installed packages
conda list

# remove an environment
conda env remove -n $env_name

Virtual Environments

Python virtual environments are useful if you do not want to maintain a complete Python installation yourself, but rather a small subset of Python packages. The virtual application environments provide Python as loadable Spack package:

# Load the Python interpreter...
spack load python target=$(spack arch -t)

# ...and create a virtual environment
python -m venv myEnv

Initialize the environment: source venv/bin/activate (the environment can be deactivated simply with: deactivate)
Installation of additional modules can be done simply with pip install.

Note that the installation directory (if not specified otherwise) will always be $HOME/myEnv, so your Linux home directory (/u/$USER) will be used as default installation path which poses a problem when a job is launched via Slurm since the home directory is not available on the batch farm.

If you decide to use a directory on Lustre to deploy Python virtual environments, we will kindly ask you to avoid having dozens of “big” frameworks installed (e.g. TensorFlow, PyTorch, etc.) at the same time. This would affects the performance of the shared storage for all users. Please read the Lustre best practices section in the User Guide for more details. Consider to use containers as described above instead.

Footnotes

Apptainer Website
https://apptainer.org/↩︎
Conda Forge Website
https://conda-forge.org↩︎
HPC Carpentry for Python
https://www.hpc-carpentry.org/hpc-python↩︎
Python for HPC: Community Materials
https://betterscientificsoftware.github.io/python-for-hpc/python-for-hpc↩︎
JupyterLab Docker Stack, Github
https://github.com/jupyter/docker-stacks↩︎
Selecting an Image, JupyterLab Docker Stack Documentation
https://jupyter-docker-stacks.readthedocs.io/en/latest/using/selecting.html↩︎
AMD Infinity Hub
https://www.amd.com/en/technologies/infinity-hub↩︎
NVIDIA Container Registry
https://catalog.ngc.nvidia.com/collections↩︎
Package Distribution and the anaconda.com Terms of Service, Conda-Forge Blog
https://conda-forge.org/blog/posts/2020-11-20-anaconda-tos↩︎
Anaconda Inc. Website
https://anaconda.org↩︎
Anaconda Packages, Anaconda Inc.
https://repo.anaconda.com↩︎
Miniforge, GitHub
https://github.com/conda-forge/miniforge↩︎