Containerization with Podman

Historically we have used exclusively Docker containers in HySDS, which works well, but is not suitable for all compute systems because it requires a privileged daemon running at all times. On some hosts, like NASA supercomputers (e.g., Pleiades) we do not have root access and we share the resources with many other users so we must seek out light-weight solutions that run in user space. We previously wrapped Verdi in a Singularity container on Pleiades and successfully linked it to the rest of the HySDS workflow. Like Docker, Singularity uses a persistent daemon, but it is more suitable for hosts like Pleiades because it does not require root access. In this page we document our findings with a third containerization option, Podman, which is advertised as a root-less, daemon-less solution.

Our main findings with podman so far are:

1. It does require root for a normal install (lots of sudoon https://podman.io/getting-started/installation.html and there was a discussion that non-root install would be difficult, but not impossible). Once installed, podman can then be used as normal user. However, the rootless version has serious limitations as described at Shortcomings of Rootless Podman. Most notable of these in regard to their use on Pleiades is the lack of support for NFS mounts and parallel file systems (like Lustre). NFS and parallel filesystems enforce file creation on different UIDs on the server side and do not understand User Namespace.

2. It is for Linux only, though there is a remote client for Mac and Windows.

3. It does look like a direct drop in replacement for docker with the same syntax for most of the common docker actions (just alias docker=podmanis the way one of the docs put it, and that looks accurate. However, podman does not natively support something like docker compose, but there are alternatives available for that (see comment below).

4. podman also supports a concept of pods like in kubernetes (you can install 1 or more containers in a pod).

5. podman is daemonless, but creates a persistent user process to preserve the “namespace” for subsequent jobs. From this document, “Next, Podman creates a pause process to keep the namespace alive, so that all containers can run from the same context and see the same mounts. The next Podman process will directly join the namespace without needing to create it first.”

6. This is a possible replacement for docker-compose for podman: podman-compose. Another repo called pods-compose could provide the required container orchestration functionality.