HPCwire: Greg, maybe provide a quick refresher snapshot of container technology and distinguish it from VMs, and touch on the important characteristics of HPC/advanced scale containers.
Gregory Kurtzer: HPC and what we call EPC (Enterprise Performance Compute) focused applications require direct integration with the host operating system and underlying hardware. In contrast, services require isolation from each other and from the host’s resources. Singularity is designed to mitigate security issues when running containers as non-root, and thus blur the line between host and container. Singularity is also highly performant on both startup and teardown and will completely get out of the way, allowing the application to execute without any interference from the container runtime.
HPCwire: Filling out the container ecosystem a bit, explain the role of deployment/management tools such as Kubernetes or other tools such as job schedulers.
Kurtzer: Job schedulers have been part of the core ecosystem on HPC for a long time. Now, with the advent of containers on HPC, we are seeing both HPC and EPC users interested in deployment tools, such as Kubernetes/Kubeflow, for their compute workloads. But the container ecosystem demands more than what a job scheduler offers; now users want to build their containers asynchronously, store them in a clear and verifiably reproducible way, and run their workloads on a different set of resources across multiple resources. These tools now play a big role for users trying to move their workloads between onprem and the cloud.
HPCwire: Looking at the traditional HPC environment (academia and government) and enterprise and financial service sector in particular, how do the container use patterns/needs differ and where are they similar?
Kurtzer: In academia and government, the HPC ecosystem consists of a wide variety of use cases, ranging from massively parallel tightly coupled MPI based applications to single threaded, interpreted based workloads (scripts). The EPC and financial services sector tend to generally have more serial based workloads, but given that all of these are focused on performance and compute, many of them have a very similar nature to the needs of academic and government HPC.
This means that the financial sector resources may not have InfiniBand for interprocess communication, or a parallel file system, but they do need low latency networks usually with TCP offloading for HFT requirements. Additionally, they need to manage unprivileged users and resource management with scheduling as a traditional HPC resource would, but they also need to handle orchestration, CI/CD, DevOps, policy compliance, and change management with validation of their workflows. Singularity is uniquely designed for this.
HPCwire: Security is an issue that is often flagged with Docker and one that’s obviously important in the FS world. What are the security challenges container technology presents and how are they best solved?
Singularity is unique in how it handles security, privilege, and user access. Designed to allow untrusted users to run untrusted containers but in a trusted way, Singularity allows non-root users the ability to run containers while locking their privilege within the container. Singularity actually blocks privilege escalation attempts within the container, so from a security point of view, it is safer for users to run applications from within Singularity.
This use case is not limited to just HPC. Imagine being able to run any service through a container without ever being root, and mitigating to ensure that anything running inside that container can never become root.
But security is also rooted within trust. Singularity (as of version 3.0, which is slated to be released in early October), can support cryptographically signed containers. This means you can trust your container runtime environment. Furthermore, with the Sylabs keystore cloud service, you can verify containers and provide accountability back to the developer. Coupling that with the ability to revoke keys means we can limit the “blast radius” of a given exposure.
Between our security model and trusted environments, Singularity and Sylabs adds an entirely new layer of security to your existing environments.
HPCwire: What are some of the dominant HPC-related container use cases in FS you are seeing?
Kurtzer: We are seeing Singularity’s use cases in EPC and the financial sectors gaining momentum on data driven analytics, simulation, HFT (high frequency trading), and starting to see an uptake in AI for market prediction.
HPCwire: When we talked a little over a year ago, you said Singularity had only a smattering of commercial users. How has that changed and why?
Kurtzer:We have a public “Singularity Registry” in which people can voluntarily list their computational resources which support Singularity. Unsurprisingly it consists almost exclusively of academic and government non-classified systems; most commercial users do not list their resources there. So it is somewhat of a surprise to us every time we are contacted by a commercial organization that is already using Singularity. At this point, we have been contacted by large number of commercial end-users as well as hardware and software providers who are interested in working with us to satisfy the requests of their customers.
One of the motivators here has been on our release of SingularityPRO. SingularityPRO is a curated version of the open source codebase and thus it is made of 100 percent open source software. But, we give a 2-week priority of security updates to paying customers as well as make available the Sylabs Keystore for cryptographic validation of containers (a freemium service to open source users). Lastly, we offer commercial support, training materials, and professional services to PRO customers exclusively as we do not provide enterprise support on the open source codebase.
HPCwire: Can you comment on the growth of Singularity (and other HPC flavors of containers) in the enterprise broadly and perhaps its segments such as FS and manufacturing, etc.
Kurtzer: Singularity’s growth in the enterprise is like a step function, starting with the low hanging fruit of commercial HPC and EPC which introduces Singularity to these enterprises organizations. From there, we have seen that other groups within the organization are introduced to Singularity and love its ease of use, security differentiators, and the novel single-file container image format.
The biggest barrier so far has been the lack of compatibility with existing resources like Kubernetes; but we will soon be releasing a solution for exactly this, so stay tuned!
HPCwire: How is container technology well suited for FS, and what are the challenges?
Kurtzer: Container technology in general is changing the paradigm about what it means to package and distribute software. Singularity takes this to the next level. For example, the Singularity Image Format is to containers what RPM and DEB files are to source code. Our image format, modeled after the ELF binary format in Linux, offers flexibility, control, and cryptographic verification, and thus guaranteed immutability. This changes the DevOps paradigm and offers bit for bit reproducibility and trust.
But for financial services, there are other requirements that have historically made containerization a non-starter. For example, the networking layers of other container systems introduce too much latency for HFT and distributed workflows. Fortunately, Singularity, being designed for performance and compute, does not suffer the same outcome as Singularity does not introduce additional latencies in the network, memory, or IO subsystems.
HPCwire: What kinds of forthcoming container technology changes will help FS segment?
Kurtzer: Security is key as is trust via cryptographic signing and encryption. Additionally, integration with existing resources (Kubernetes, Kubeflow, Mesos), performance metrics, tighter integration into existing workflows, and leveraging a community with an already strong knowledge of the container space.
HPCwire: What’s ahead for container technology, in particular for HPC-capable container technology.
Kurtzer: We see PMIx being a big help for MPI and we are working with Mellanox to solve the OFED compatibility layer.
In terms of the container ecosystem, we are soon to release a Container Library and Marketplace for purchasing of premade containers. This will provide software providers the ability to have software vendors shipping their applications as signed Singularity containers.
HPCwire: It seems like heterogeneous architectures (CPU-Accelerator) are becoming a fact of life with processors diversity in particular – Intel, AMD, IBM/Power, ARM, RISCv – further complicating platform selection and use. How does this affect container technology and what challenges (port to processors, etc.) does it present? For example, which processors does Singularity support.
Kurtzer: There is no limit to which platforms can run compute-driven analytics. Because of this, we support everything possible, including GPU and interconnects. Also, the Singularity Image Format (SIF) contains metadata about what architectures it is built and optimized for such that orchestrators can easily glean insights from the container image itself for orchestration.
HPCwire: Do you expect a convergence between varying flavors?
Kurtzer: No. Options are good as each solution offers variety. There will always be Gnome and KDE, Vim and Emacs, Perl and Python, Docker and Singularity.
HPCwire: You’ve talked in the past about how containers potentially represent a paradigm change in the way applications are delivered; how is this playing out and what should we expect?
Kurtzer: 451 Research believes the application market space to grow to $1.6B in 2018 alone. If the market is growing that rapidly, support of the market needs to be there. Sylabs will be there to support it in terms of technology enhancements and services, including working with other open source projects to create solutions to cover a broad spectrum of customer problems.