9:53 a.m.
Regarding the email thread:
"We are working on creating a FAQ for Podman"
I'm curious about the question:
What are the main differences between Podman and Singularity?
I think in the academic world Singularity has become quite popular.
The PhD students in my work place build the SIF (Singularity Image
Format) file on their local computer and then copy it to the cluster
with the scp command and run it there. (In some research HPC compute
clusters they have installed Singularity)
(Not so much of an answer but I tried to describe the situation where
I get the question).
6 a.m.
New subject: What are the main differences between Podman and Singularity? (Possible FAQ)
Erik Sjölund wrote:
Regarding the email thread:
"We are working on creating a FAQ for Podman"
I'm curious about the question:
What are the main differences between Podman and Singularity?
I think in the academic world Singularity has become quite popular.
The PhD students in my work place build the SIF (Singularity Image
Format) file on their local computer and then copy it to the cluster
with the scp command and run it there. (In some research HPC compute
clusters they have installed Singularity)
(Not so much of an answer but I tried to describe the situation where
I get the question).
I agree, I have done some presentations on both Podman and Singularity.
Will post the presentation links over at https://boot2podman.github.io/
Sometimes I think that Podman focuses too much on competing with Docker.
And that Docker focuses more on Mac and Win (not Linux), these days...
/Anders
3:19 p.m.
New subject: What are the main differences between Podman and Singularity? (Possible FAQ)
On 6/8/20 07:00, Anders F Björklund wrote:
Erik Sjölund wrote:
> Regarding the email thread:
> "We are working on creating a FAQ for Podman"
>
> I'm curious about the question:
> What are the main differences between Podman and Singularity?
>
> I think in the academic world Singularity has become quite popular.
>
> The PhD students in my work place build the SIF (Singularity Image
> Format) file on their local computer and then copy it to the cluster
> with the scp command and run it there. (In some research HPC compute
> clusters they have installed Singularity)
>
> (Not so much of an answer but I tried to describe the situation where
> I get the question).
Podman is getting quite Popular in the HPC world and competing against
singularity.
One major issue with Singularity recently is that it dropped
"enterprise" support, and
since RHEL supports Podman, customers are working with us on it.
But in the opensource world people are also interested in moving HPC
workloads to
the OCI/Container world.
We have added lots of features to make Podman more attractive to HPC. A
few of them
being
1 Rootless Podman - HPC Customers want to run their containers with as
little privilege as possible
2 ignore_chown_errors - We added a field to containers/storage
storage.conf to allow HPC Customers to setup
their environments to be able to run any container from a container
registry like quay.io or docker.io within a single UID. Basically this
flag tells containers/storage when it pulls and image and has a file not
owned by root to ignore the error when it attempts to chown it to
non-root. This means the file remains owned by root of the
usernamespace, meaning the users UID.
3. We have added support for containers.conf which allows administrators
including HPC users, to customer the defaults of podman. HPC users tend
to want to run with limited namespaces and additional volumes mounted
into their containers.
We have several features in Podman that are better then signularity.
Starting with working with the OCI World, better namespace support,
better security with SELinux, SECCOMP, User namespace support.
> I agree, I have done some presentations on both Podman and
Singularity.
> Will post the presentation links over at https://boot2podman.github.io/
>
> Sometimes I think that Podman focuses too much on competing with Docker.
> And that Docker focuses more on Mac and Win (not Linux), these days...
We want to be able to work in all domains. As I stated above we have
been working with the HPC Community,
we are working on MAC/Windows support and continue to concentrate on
linux features.
But we are an opensource project, so we will work where the community
takes us.
>
> /Anders
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io
3:49 p.m.
New subject: SELinux
Hi,
has you are talking about SELinux support below. Is there a way to
prevent processes in a container to write to the disk or modify files?
Any example would be great. I found
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
but I want not able to restrict the disk access and still be able to
start the container.
thanks,
Hendrik
On 6/8/20 10:19 PM, Daniel Walsh wrote:
On 6/8/20 07:00, Anders F Björklund wrote:
> Erik Sjölund wrote:
>> Regarding the email thread:
>> "We are working on creating a FAQ for Podman"
>>
>> I'm curious about the question:
>> What are the main differences between Podman and Singularity?
>>
>> I think in the academic world Singularity has become quite popular.
>>
>> The PhD students in my work place build the SIF (Singularity Image
>> Format) file on their local computer and then copy it to the cluster
>> with the scp command and run it there. (In some research HPC compute
>> clusters they have installed Singularity)
>>
>> (Not so much of an answer but I tried to describe the situation where
>> I get the question).
Podman is getting quite Popular in the HPC world and competing against
singularity.
One major issue with Singularity recently is that it dropped
"enterprise" support, and
since RHEL supports Podman, customers are working with us on it.
But in the opensource world people are also interested in moving HPC
workloads to
the OCI/Container world.
We have added lots of features to make Podman more attractive to HPC. A
few of them
being
1 Rootless Podman - HPC Customers want to run their containers with as
little privilege as possible
2 ignore_chown_errors - We added a field to containers/storage
storage.conf to allow HPC Customers to setup
their environments to be able to run any container from a container
registry like quay.io or docker.io within a single UID. Basically this
flag tells containers/storage when it pulls and image and has a file not
owned by root to ignore the error when it attempts to chown it to
non-root. This means the file remains owned by root of the
usernamespace, meaning the users UID.
3. We have added support for containers.conf which allows administrators
including HPC users, to customer the defaults of podman. HPC users tend
to want to run with limited namespaces and additional volumes mounted
into their containers.
We have several features in Podman that are better then signularity.
Starting with working with the OCI World, better namespace support,
better security with SELinux, SECCOMP, User namespace support.
>> I agree, I have done some presentations on both Podman and Singularity.
>> Will post the presentation links over at https://boot2podman.github.io/
>>
>> Sometimes I think that Podman focuses too much on competing with Docker.
>> And that Docker focuses more on Mac and Win (not Linux), these days...
We want to be able to work in all domains. As I stated above we have
been working with the HPC Community,
we are working on MAC/Windows support and continue to concentrate on
linux features.
But we are an opensource project, so we will work where the community
takes us.
>> /Anders
>> _______________________________________________
>> Podman mailing list -- podman(a)lists.podman.io
>> To unsubscribe send an email to podman-leave(a)lists.podman.io
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
4:39 p.m.
New subject: SELinux
On 6/8/20 16:49, Hendrik Haddorp wrote:
Hi,
has you are talking about SELinux support below. Is there a way to
prevent processes in a container to write to the disk or modify files?
Any example would be great. I found
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
but I want not able to restrict the disk access and still be able to
start the container.
thanks,
Hendrik
$ podman run --read-only -ti fedora sh
# id
uid=0(root) gid=0(root) groups=0(root)
# touch /dan
touch: cannot touch '/dan': Read-only file system
#
The only place the container is able to write is to tmpfs mounted in the
container.
On 6/8/20 10:19 PM, Daniel Walsh wrote:
> On 6/8/20 07:00, Anders F Björklund wrote:
>> Erik Sjölund wrote:
>>> Regarding the email thread:
>>> "We are working on creating a FAQ for Podman"
>>>
>>> I'm curious about the question:
>>> What are the main differences between Podman and Singularity?
>>>
>>> I think in the academic world Singularity has become quite popular.
>>>
>>> The PhD students in my work place build the SIF (Singularity Image
>>> Format) file on their local computer and then copy it to the cluster
>>> with the scp command and run it there. (In some research HPC compute
>>> clusters they have installed Singularity)
>>>
>>> (Not so much of an answer but I tried to describe the situation where
>>> I get the question).
> Podman is getting quite Popular in the HPC world and competing against
> singularity.
>
> One major issue with Singularity recently is that it dropped
> "enterprise" support, and
>
> since RHEL supports Podman, customers are working with us on it.
>
> But in the opensource world people are also interested in moving HPC
> workloads to
>
> the OCI/Container world.
>
> We have added lots of features to make Podman more attractive to HPC. A
> few of them
>
> being
>
> 1 Rootless Podman - HPC Customers want to run their containers with as
> little privilege as possible
>
> 2 ignore_chown_errors - We added a field to containers/storage
> storage.conf to allow HPC Customers to setup
>
> their environments to be able to run any container from a container
> registry like quay.io or docker.io within a single UID. Basically this
> flag tells containers/storage when it pulls and image and has a file not
> owned by root to ignore the error when it attempts to chown it to
> non-root. This means the file remains owned by root of the
> usernamespace, meaning the users UID.
>
> 3. We have added support for containers.conf which allows administrators
> including HPC users, to customer the defaults of podman. HPC users tend
> to want to run with limited namespaces and additional volumes mounted
> into their containers.
>
>
> We have several features in Podman that are better then signularity.
> Starting with working with the OCI World, better namespace support,
> better security with SELinux, SECCOMP, User namespace support.
>
>>> I agree, I have done some presentations on both Podman and
>>> Singularity.
>>> Will post the presentation links over at
>>> https://boot2podman.github.io/
>>>
>>> Sometimes I think that Podman focuses too much on competing with
>>> Docker.
>>> And that Docker focuses more on Mac and Win (not Linux), these days...
> We want to be able to work in all domains. As I stated above we have
> been working with the HPC Community,
>
> we are working on MAC/Windows support and continue to concentrate on
> linux features.
>
> But we are an opensource project, so we will work where the community
> takes us.
>
>>> /Anders
>>> _______________________________________________
>>> Podman mailing list -- podman(a)lists.podman.io
>>> To unsubscribe send an email to podman-leave(a)lists.podman.io
>
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
1:44 a.m.
New subject: SELinux
thanks, had never read about that switch, makes me wonder what other
cool features I might have overlooked as well
On 6/8/20 11:39 PM, Daniel Walsh wrote:
On 6/8/20 16:49, Hendrik Haddorp wrote:
> Hi,
>
> has you are talking about SELinux support below. Is there a way to
> prevent processes in a container to write to the disk or modify files?
> Any example would be great. I found
>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
>
> but I want not able to restrict the disk access and still be able to
> start the container.
>
> thanks,
> Hendrik
$ podman run --read-only -ti fedora sh
# id
uid=0(root) gid=0(root) groups=0(root)
# touch /dan
touch: cannot touch '/dan': Read-only file system
#
The only place the container is able to write is to tmpfs mounted in the
container.
> On 6/8/20 10:19 PM, Daniel Walsh wrote:
>> On 6/8/20 07:00, Anders F Björklund wrote:
>>> Erik Sjölund wrote:
>>>> Regarding the email thread:
>>>> "We are working on creating a FAQ for Podman"
>>>>
>>>> I'm curious about the question:
>>>> What are the main differences between Podman and Singularity?
>>>>
>>>> I think in the academic world Singularity has become quite popular.
>>>>
>>>> The PhD students in my work place build the SIF (Singularity Image
>>>> Format) file on their local computer and then copy it to the cluster
>>>> with the scp command and run it there. (In some research HPC compute
>>>> clusters they have installed Singularity)
>>>>
>>>> (Not so much of an answer but I tried to describe the situation where
>>>> I get the question).
>> Podman is getting quite Popular in the HPC world and competing against
>> singularity.
>>
>> One major issue with Singularity recently is that it dropped
>> "enterprise" support, and
>>
>> since RHEL supports Podman, customers are working with us on it.
>>
>> But in the opensource world people are also interested in moving HPC
>> workloads to
>>
>> the OCI/Container world.
>>
>> We have added lots of features to make Podman more attractive to HPC. A
>> few of them
>>
>> being
>>
>> 1 Rootless Podman - HPC Customers want to run their containers with as
>> little privilege as possible
>>
>> 2 ignore_chown_errors - We added a field to containers/storage
>> storage.conf to allow HPC Customers to setup
>>
>> their environments to be able to run any container from a container
>> registry like quay.io or docker.io within a single UID. Basically this
>> flag tells containers/storage when it pulls and image and has a file not
>> owned by root to ignore the error when it attempts to chown it to
>> non-root. This means the file remains owned by root of the
>> usernamespace, meaning the users UID.
>>
>> 3. We have added support for containers.conf which allows administrators
>> including HPC users, to customer the defaults of podman. HPC users tend
>> to want to run with limited namespaces and additional volumes mounted
>> into their containers.
>>
>>
>> We have several features in Podman that are better then signularity.
>> Starting with working with the OCI World, better namespace support,
>> better security with SELinux, SECCOMP, User namespace support.
>>
>>>> I agree, I have done some presentations on both Podman and
>>>> Singularity.
>>>> Will post the presentation links over at
>>>> https://boot2podman.github.io/
>>>>
>>>> Sometimes I think that Podman focuses too much on competing with
>>>> Docker.
>>>> And that Docker focuses more on Mac and Win (not Linux), these days...
>> We want to be able to work in all domains. As I stated above we have
>> been working with the HPC Community,
>>
>> we are working on MAC/Windows support and continue to concentrate on
>> linux features.
>>
>> But we are an opensource project, so we will work where the community
>> takes us.
>>
>>>> /Anders
>>>> _______________________________________________
>>>> Podman mailing list -- podman(a)lists.podman.io
>>>> To unsubscribe send an email to podman-leave(a)lists.podman.io
>> _______________________________________________
>> Podman mailing list -- podman(a)lists.podman.io
>> To unsubscribe send an email to podman-leave(a)lists.podman.io
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
1:16 p.m.
New subject: What are the main differences between Podman and Singularity? (Possible FAQ)
Daniel Walsh wrote:
>> Sometimes I think that Podman focuses too much on competing
with Docker.
>> And that Docker focuses more on Mac and Win (not Linux), these days...
We want to be able to work in all domains. As I stated above we have
been working with the HPC Community,
we are working on MAC/Windows support and continue to concentrate on
linux features.
But we are an opensource project, so we will work where the community
takes us.
That is great to hear (about the HPC features), looking forward to
following both Open Source projects (i.e. Podman and Singularity)
Interesting to hear about the planned Mac and Win support, maybe
there will be no need for a podman-machine project either then...
/Anders
2:11 p.m.
New subject: What are the main differences between Podman and Singularity? (Possible FAQ)
On 6/9/20 14:16, Anders F Björklund wrote:
Daniel Walsh wrote:
>>> Sometimes I think that Podman focuses too much on competing with Docker.
>>> And that Docker focuses more on Mac and Win (not Linux), these days...
> We want to be able to work in all domains. As I stated above we have
> been working with the HPC Community,
>
> we are working on MAC/Windows support and continue to concentrate on
> linux features.
>
> But we are an opensource project, so we will work where the community
> takes us.
That is great to hear (about the HPC features), looking forward to
following both Open Source projects (i.e. Podman and Singularity)
Interesting to hear about the planned Mac and Win support, maybe
there will be no need for a podman-machine project either then...
/Anders
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
No I think we will always need an opensource VM to handle the remote VM.
1627
days inactive
1631
days old
7 comments
4 participants
participants (4)
-
Anders F Björklund -
Daniel Walsh -
Erik Sjölund -
Hendrik Haddorp