singularity icon indicating copy to clipboard operation
singularity copied to clipboard
verified publisher icon sylabs

Build From Dockerfile (native mode non-OCI-SIF)

Open dtrudg opened this issue 4 years ago • 7 comments

Is your feature request related to a problem? Please describe. Some projects don't have ready built or up-to-date containers, but do have a Dockerfile. At present you cannot build these containers with Singularity without translating the Dockerfile to a Singularity definition file.

Describe the solution you'd like What about Singularity being able to build from a Dockerfile (with a limited subset of functionality for anything in a Singularity recipe that doesn’t map to a Docker directive) so the user doesn’t need to re-write recipes?

Additional context Proposed on roadmap doc by @vsoch

dtrudg avatar Jun 03 '21 20:06 dtrudg

We've shuffled this issue around on & off milestones now, because we have a few concerns about how complete and consistent this type of feature could be, if added to Singularity at this time.

A couple of thoughts:

  1. Many people we've spoken to requesting better support for containers that come from Dockerfiles have been clear that they mainly work in OCI land, and then pull OCI images to SIF to use Singularity as a runtime. podman, buildah, etc. are valid options for many sites at this point - to build from Dockerfiles, faithfully. Therefore for the Singularity runtime we've concentrated more on the idea of runtime compatibility.

  2. Singularity hasn't supported, and still doesn't support, (at runtime) everything that can be expressed in a container built from a Dockerfile. We've been working to improve OCI compatibility with each release, and we have a big push coming up to integrate a low-level OCI runtime that can provide a big jump in that regard (https://sylabs.staging.sycloud.io/2022/02/singularityce-4-0-and-beyond/). The general theme of the roadmap is for continuous incremental OCI compatibility improvements, so there is a bit of concern about bringing in new features that add a new angle to OCI compatibility considerations,, but with significant caveats in what is faithfully supported. Essentially we don't want to add to the list of 'this OCI thing works in Singularity, except a, b, c don't` that users have to consider. We only want to remove the limitations.

I think we'd like to see a clear path to fully faithful Dockerfile builds, if we are going to add functionality and promote Singularity as a Dockerfile builder. So we need to work through:

  • What things in a Dockerfile can / cannot be supported?
    • (a) at build time
    • (b) at run time (like USER)
  • How will this fit in with the move toward using runc, and gradually away from the singularity native runtime (note we are not replacing it in 4.0 / removing functionality) - which is the big direction on the roadmap through 4.0 (we don't want to do a lot of work that is specific to the existing runtime)?
  • How would this impact what works with remote builds vs local builds?
  • Does any of the work have implications around support for older distros, such as RHEL7?

Note - none of this precludes exploring approaches. I just want to be up-front that fitting this feature into the Singularity roadmap is more complex than it might appear at first.

dtrudg avatar Jun 22 '22 14:06 dtrudg

Going to add our notes from chat here for keeping! My plan is to give this a first pass so we can then have deeper discussion (and it's really no worries if we don't use what I ultimately make, this is going to be fun!)

  • I would parse the Dockerfile sections into their corresponding Singularity sections, and return that "same" set of sections to build. I've done it in Python so I have a sense of how to go about it, so the only part of buildkit I'd want is the nice parser (to give me original pieces).
  • at build time we'd start with FROM RUN COPY/ADD and CMD, and issue warnings for others for the time being. We cannot support USER in singularity until there is actual support (and I saw an issue about runc and that I think?)
  • I don't know enough about what "singularity native runtime" means, but if I can parse the same content into the singularity stages arguably it could be compatible?
  • No idea about RHEL7! I used to have a RHEL7 machine but it zonked with an update and I'm sending it back to the lab.

For this first pass it might just be for thinking / testing, and then either we can think through a plan that works (and for future singularity changes) or it could be something akin to a plugin. Either way I decided to work on it because (in my head at least) it seems straight forward and fun to do, even if it can't be added :slightly_smiling_face:

vsoch avatar Jun 22 '22 17:06 vsoch

Hi @vsoch.

In the interest of being open about other Sylabs plans around Dockerfile builds, we are also planning to add the ability to cloud.sylabs.io / Singularity Enterprise, for users to submit Dockerfiles. They would be built in the service using an OCI builder backend, not Singularity, and both OCI and SIF output would be produced.

This obviously doesn't block exploring building Dockerfiles in Singularity itself. We just want to be up-front about another angle where we'll need to consider consistency, user-experience, etc.

EmmEff avatar Jun 22 '22 18:06 EmmEff

Oh neat! So I'm actually done writing it, just coming up with good tests. I should have a PR soon after that.

Like I said, totally okay if you don't want to use this.

vsoch avatar Jun 22 '22 18:06 vsoch

I am looking forward to seeing what you've done.

EmmEff avatar Jun 22 '22 18:06 EmmEff

yeah!! Here is a sneak preview:

$ sudo ./singularity build container.sif Dockerfile
INFO:    Starting build...
Getting image source signatures
Copying blob 2408cc74d12b skipped: already exists  
Copying config a366738a18 done  
Writing manifest to image destination
Storing signatures
2022/06/22 13:00:12  info unpack layer: sha256:2408cc74d12b6cd092bb8b516ba7d5e290f485d3eb9672efc00f0583730179e8
INFO:    Running post scriptlet
+ apk update
fetch https://dl-cdn.alpinelinux.org/alpine/v3.16/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.16/community/x86_64/APKINDEX.tar.gz
v3.16.0-196-g143603d2cf [https://dl-cdn.alpinelinux.org/alpine/v3.16/main]
v3.16.0-201-g5317e55db7 [https://dl-cdn.alpinelinux.org/alpine/v3.16/community]
OK: 17026 distinct packages available
INFO:    Adding startscript
INFO:    Creating SIF file...
INFO:    Build complete: container.sif

Sorry I'm slow on the tests, as @dtrudg can attest it's my weak point!

vsoch avatar Jun 22 '22 19:06 vsoch

Noting here that the title of this issue has been edited so that it is clear it applies to building from a Dockerfile, using Singularity's native runtime, to a Singularity SIF file that is not an OCI-SIF image.

A separate issue #2218 now exists concerned with the addition of an OCI-mode build that uses OCI tooling to build from a Dockerfile into an OCI-SIF.

dtrudg avatar Sep 21 '23 11:09 dtrudg