• OSG has made significant progress in testing/integrating/using Singularity
  • 15 sites, 1M jobs this week, 40-60% of the pool
  • OSG sites seem to have no problem with SUID: sites trust OSG
  • ~200 lines of script needed to setup environment properly
  • Isolation as expected: pilot credentials, environment and logs protected
• CMS integration thought to be easy: same tools
  • As of April 1st, sites might expose RHEL7 environment to the pilot if and only if they also provide singularity (very few to no job otherwise)
  • GLExec still expected if RHEL6 environment exposed (and no singularity)
• Container model for OSG: pull docker 'images' (as flat files) into CVMFS
  • Some validation made by OSG team before merging, but basically under responsibility of the user who asked for it
  • Not a requirement from CMS (two basic images needed: RHEL 6 & RHEL7) but for OSG (esp. users coming from a docker environment)
• It's possible to run singularity within a docker container (but not default configuration):
  • Docker isolate pilots from themselves and from the site
  • Singularity isolate user payload from themselves and from the pilot
• Security review:
  • Brian (OSG) still looking for effort through CTSC: they are still busy with reviewing HTCondorCE (asked by OSG few months ago, before singularity appeared). In the worst case, effort should be available after that review (end of summer/early autumn)
  • Maarten:
    • No success with the team that was in Barcelona and made review for EGI (leader now in CTSC)
    • Another trial with a team in Poland: not agreed but not completed turned off either
    • University from the WhiteHat program at CERN: nothing yet
• Access to small singularity test cluster at CERN: still waiting for Ben to broadcast access to all VOs (currently used by CMS only)