- OSG has made significant progress in testing/integrating/using Singularity
- 15 sites, 1M jobs this week, 40-60% of the pool
- OSG sites seem to have no problem with SUID: sites trust OSG
- ~200 lines of script needed to setup environment properly
- Isolation as expected: pilot credentials, environment and logs protected
- CMS integration thought to be easy: same tools
- As of April 1st, sites might expose RHEL7 environment to the pilot if and only if they also provide singularity (very few to no job otherwise)
- GLExec still expected if RHEL6 environment exposed (and no singularity)
- Container model for OSG: pull docker 'images' (as flat files) into CVMFS
- Some validation made by OSG team before merging, but basically under responsibility of the user who asked for it
- Not a requirement from CMS (two basic images needed: RHEL 6 & RHEL7) but for OSG (esp. users coming from a docker environment)
- It's possible to run singularity within a docker container (but not default configuration):
- Docker isolate pilots from themselves and from the site
- Singularity isolate user payload from themselves and from the pilot
- Security review:
- Brian (OSG) still looking for effort through CTSC: they are still busy with reviewing HTCondorCE (asked by OSG few months ago, before singularity appeared). In the worst case, effort should be available after that review (end of summer/early autumn)
- Maarten:
- No success with the team that was in Barcelona and made review for EGI (leader now in CTSC)
- Another trial with a team in Poland: not agreed but not completed turned off either
- University from the WhiteHat program at CERN: nothing yet
- Access to small singularity test cluster at CERN: still waiting for Ben to broadcast access to all VOs (currently used by CMS only)