Singularity Community and SingularityPRO on HPE high-performance serversThe power of open source for enterprise performance computing

Whitepaper

Singularity Community and SingularityPRO on HPE high-performance servers

2

Table of Contents

2 Executive summary

3 Introduction

4 Use cases

5 Mobility of compute

7 Drop-in replacement for standalone processes

8 Architectural differences between Singularity and other containers

8 SingularityPRO on HPE infrastructure, ready for the enterprise

10 SingularityPRO add-on services

11 Container Library

12 Key-signingandverificationservices

12 Conclusions

Executive summary

Singularity has become an attractive container technology for running batch-style jobs

becauseitwasdesignedspecificallytoencapsulatereproducibleapplicationstacksintoa

singlefile.ItssimplicityallowsforseamlessintegrationwithGPUsandinterconnectsthatare

commontohigh-performancecomputing(HPC)environments.RunningSingularityPRO™

onHewlettPackardEnterprise(HPE)HPCserverplatformsexpandsuponSingularity

Community’s open source capabilities and includes commercial support and access to a

growingvalue-addedcontainerecosystem.

This white paper illustrates the business drivers for adopting container-based software

modelsandthecapabilitiesbuiltintotheSingularityPROcommercialoffering.Itwillalso

address how Singularity container technology running on HPE platforms solve the challenges

ofparallelizedAI,deep-learning/machine-learning,anddataanalyticsworkloadsonlarge

clusters—allwithoutcompromisingsecurityorprivacy.

Threekeytakeawaysfromthiswhitepaperinclude:n Typical use cases for Singularity Community/SingularityPRO running on HPE server

platformsn The unique value of SingularityPRO for today’s enterprisesn ThebenefitsofSingularityPROcomparedtoothercontainerofferings

Singularity Community and SingularityPRO on HPE high-performance servers

3

Introduction

Containersareahottopicineveryfacetofhigh-performancecomputing.Applieduse

casesareseeninavarietyofindustries,includingacademia,finance,enterprise,and

pharmaceuticals.451Researchexpectsmorethan250%growthinthecontainermarketfrom

2016to2020[1].Containerscombinespeedanddensitywiththemobilityoftraditionalvirtual

machines(VMs)whilerequiringfarfewercomponentstoremainportableandrunanywhere.

ContainersaremadepossiblebyasetoffacilitiesintheLinux®kernelthatallowlightweight

partitioning of a host operating system into isolated spaces where applications can safely

run.Usingcontainerspresentsloweroverheadintermsofasmallermemoryfootprintand

higherefficiencybecausetheysharethekernelwiththehostoperatingsystem—whichmeans

containerscanachievehigherdensity.Inshort,containersenablemoreproductivity.

Not only are containers orders of magnitude faster in provisioning, and lighter weight, they

alsoenableapplicationstoworkinthesamewayondevelopers’workstations,on-premises

servers,andanypublicorprivatecloud.

Proven open source container solution

Released in 2016, Singularity Community is an open source-based container platform de-

signedforscientificandHPCenvironments.ForHPC,Singularitymakeswhatwaspreviously

impossible,possible.

WithSingularity,theentireexecutionenvironmentiscontainedwithinasinglefilethatstarts

with a base Linux distribution, augmented by applications, libraries, data, and scripts—all

foracontainerizedapplicationworkflow.Singularitycontainerseasilyintegrateintostandard

HPCworkflowsandcanbedeployedandstartedontensofthousandsofnodeswith

minimaleffort.

By moving away from the microservices architecture embraced by other container platforms,

Singularity’s unique design meets HPC users’ needs for a container solution that not only

offers high performance, but also supports mobility, reproducibility, and seamless integration

withhost-providedresources.Inadditiontoenablinggreatercontrolovertheapplication

environments, Singularity also supports a bring-your-own-environment (BYOE) model—

transportingaconfigurationfromascientist’sworkstationtothedatacenter.

Singularity Community and SingularityPRO on HPE high-performance servers

4

High-performance enterprise-class container platform

SingularityPRO builds on the success of the open source Singularity Community version,

leveraging the open source code base to provide a container platform designed for

Enterprise Performance Computing (EPC), including deep learning, IoT, and predictive

analyticsworkloads.

SingularityPRO includes all of the functionality of the open source version, plus enterprise-

gradeenhancementsthatmaketheplatformstronger,highlysecure,andmorefeature-rich

(describedbelow).WheretheopensourceversionofSingularityissubjecttorollingcode

changes from the open source community at large, SingularityPRO is curated and supported

bySylabs,thecompanybehindSingularity.

Use cases

SingularityPROrunningonHPEplatforms(includingHPESuperdomeFlex,HPEIntegrity

Superdome X, HPE Integrity MC990 X, and HPE Apollo systems) delivers high-performance

computingtoenterprises.Thisisdonebyprovidingasecureandrepeatablemethodto

packageapplicationsandtheirdependenciesintoasinglefilethatiscryptographically

verifiabletoensurereproducibility.Thesefeaturesarecriticallyimportantinthefollowing

enterpriseusecases.

A Major milestone in Memory-Driven Computing

To help enterprises embrace the possibilities of a world transformed by exponentialdatagrowth,HPEoffersSuperdomeFlex—theindustry’sonly in-memory computing solution with a unique modular design that scaleseasilyandeconomicallyforbusinessesofanysize.Asignificantmilestone in the Memory-Driven Computing innovation roadmap, this platform will help enterprises stay ahead of the competition by turning criticaldataintoreal-timebusinessinsights.Builttohandlethemostdemandingapplications,HPESuperdomeFlexdeliversanunprece-dentedcombinationofscale,modularity,flexibility,andreliabilitysothatenterprises can turn these insights into action, and action into success—knowingthatthebusinesswillremainalwayson.

Singularity Community and SingularityPRO on HPE high-performance servers

5

Cluster Multi-tenancy

In an HPC environment, users are not allowed full, unrestricted administrative/root access to

sharedproductionsystems[2].Instead,usersoftenreceivecredentialswithlimitedaccessto

reducethethreatsurfaceareas.Whilelimited-usercredentialssatisfysecurity,compliance,

and audit requirements, users must be able to have enough environment privilege to

develop,modify,andtesttheirapplicationcontainers.

Figure 1: Singularity adds a new layer of isolation

Unlikeotherplatforms,Singularitydoesnotrequireausertohaverootprivilegeswithin

a container, and it does not require users to be added to a special group with advanced

privilegestostartthecontainerruntime.Singularity’suniquesecuritymodelensures

that untrusted users can run untrusted containers without impacting the security of the

underlyinghostsystem.

EnablinguserstodeploySingularitycontainersonaclusterprovidestheflexibilitytheyneed,

whilealsomaintainingthesecuritypostureofthecluster.

Mobility of compute

Enterpriseworkloadsareevolving.Jobsnowconsistofartificialintelligence(AI),machine

learning(ML),anddeeplearning(DL)workloadsthatweresolelywithinthedomainofthe

scientificresearchcommunity.SupportingthedemandingEPCusecasesfoundintoday’slife

sciences,defense,financialtechnology,oilandgas,manufacturing,andmanyothertypesof

workloadsrequireacontainerplatformthatdelivershighlevelsofperformance,portability,

andsecurity.

Singularity Community and SingularityPRO on HPE high-performance servers

6

Mission-critical innovations

Forenterprisesrunningmission-criticalapplicationsoncostlyproprietarysystems, HPE Integrity Superdome X sets new high standards for x86 avail-ability,scalability,andperformance.TheidealplatformforcriticalLinuxandWindows®workloads,HPESuperdomeXblendsx86efficiencieswithprovenHPE mission-critical innovations for a superior uptime experience and ground-breakingperformance.Breakthroughscalabilityofupto16socketsand48TBofmemoryhandlein-memorydatabasesandlargescale-upx86workloads.Through the unique HPE nPars technology, Superdome X adds agility and de-livers20xgreaterreliabilitythanplatformsrelyingonsoftpartitionsalone.Formaximizing application uptime, standardizing, or consolidating, HPE Integrity SuperdomeXhelpstransformtoday’smission-criticalenvironments.

Singularity running on HPE server platforms delivers such a platform—enabling users to

createanapplicationenvironmentforrunningHPCworkloadsandapplicationswithout

theperformancepenaltiesorcomplexitiesofaccessingGPUandnetworkinterconnects.

SingularityPROsimplifiesthedeploymentofapplicationsacrossdifferentclustersand

supercomputers(HPESuperdomeFlex,HPEIntegritySuperdomeX,andHPEIntegrity

MC990 X systems) by avoiding the laborious process of re-hosting the applications for each

distinctenvironment—withoutrequiringavirtualizedhardwarelayer.Singularitycontainers

arejustsinglefiles.Ifyoucanmoveafilefromonehosttoanother,youcandeploya

Singularitycontainer.

The SingularityImageFormat(SIF)isaconduitfortransportingentireapplicationenvironments,

aswellasprovidingusersandadministratorswithameansofprotection.WithSingularity

single-filecontainers,usersbenefitfromextrememobility,enhancedreproducibility,and

compliancecontrol.

SingularityPROandassociatedSingleImageFormat(SIF)containerscanhave

cryptographicallysignedandevolvableoverlaystoenableacontrols-compliantworkflow,

whichcreatestrustedcontainers.Unlikeothercontainerplatforms,SingularityPROhas

a mechanism to validate a runtime image and all data regions through a self-signing

mechanism.Bysigningandverifyingcontainers,distributorsandusersestablishalevelof

trustunavailabletoothercontainerformats.

Figure 2: Singularity Image Format file structure and usage

Immutable RuntimeContainer Image

Glob

al H

eade

r

Reci

pe D

efin

ition

Labe

ls

Envi

ronm

ent

Writable Overlay

Sign

atur

e Bl

ock

CRYPTOGRAPHICALLY SIGNED

EVOLVABLE

Desc

ripto

rs

Singularity Community and SingularityPRO on HPE high-performance servers

7

Drop-in replacement for standalone processes

Singularityintegrateswithallbatchresourcemanagers—withzeromodifications—bycalling

theSingularitycommanddirectly.

OneofSingularity’sarchitecturallydefinedfeaturesistheabilitytoexecutecontainersas

iftheywerenativeprogramsorscriptsonahostcomputer.Asaresult,integrationwith

schedulerssuchasUnivaGridEngine,Torque,SLURM,SGE,andmanyothersisassimple

asrunninganyothercommand.Allstandardinput,output,errors,pipes,IPC,andother

communication pathways used by locally running programs are synchronized with the

applicationsrunninglocallywithinthecontainer.

Figure 3: Positioning of Singularity in a Linux system

High-performanceinterconnectssuchasInfiniBandandIntel®Omni-PathArchitecture

(IntelOPA)areprevalentintheHPC/enterpriseperformancecomputing(EPC)space.

Deep-learningworkloads/applicationsalsobenefitfromthehigh-bandwidthandlow-latency

characteristicsoftheseinterconnecttechnologies.

Singularity offers native support for OpenMPI by utilizing a hybrid MPI container approach,

whereOpenMPIexistsbothinsideandoutsidethecontainer.Similartothesupportfor

InfiniBandandIntelOPAdevices,SingularitynativelysupportsanyPCIe-attacheddevice

withinthecomputenode,suchasaccelerators(GPUs).

Appl

icat

ion

VIRTUALIZED

File System

Kernel

Virtualized Hardware

Appl

icat

ion

Appl

icat

ion

NATIVE

Appl

icat

ion

Appl

icat

ion

File System

Host Kernel

Physical Hardware

C

B

A

File System

Appl

icat

ion

Appl

icat

ion

Appl

icat

ion

Appl

icat

ion

Appl

icat

ion

Appl

icat

ion

Container

Host Kernel

Physical Hardware

NATIVE CONTAINED

Virtual Machine Architecture

SingularityArchitecture

Singularity Community and SingularityPRO on HPE high-performance servers

8

Architectural differences between Singularity and other container platforms

Security is a common concern for enterprises considering the adoption of containers in

asharedcomputingenvironment.Thisisdueinlargeparttoothercontainerplatforms

requiringelevatedprivilegedaemonsorconfigurationswherethelockingcapabilities

arelimitedandchallengingtoimplement[3].Anotherfundamentaldifferencebetween

Singularityandothercontainersistheimageformatitself.ASingularitycontainerisa

singlefilethatcanbemovedaround,thesameasanyotherfile.Othercontainerruntimes

contain layers, which are assembled during runtime and do not offer the same mobility

andreproducibilityasaSingularitycontainer.

Andfinally,unlikeothercontainerplatforms,Singularityfavorsintegrationoverisolation,

allowingittoworkwithcommonHPCtechnologiessuchashigh-speedinterconnects,batch

schedulers,resourcemanagers,MPIs,andGPUswithlittleornoadditionalconfiguration.

SingularityPRO on HPE infrastructure, ready for the enterprise

SingularityPROisacertifiedbinaryreleaseofSingularitybuiltentirelyfromtheopensource

code base—augmented with the licensing, support, and expert professional services

requestedbyleadingorganizations,universities,andlaboratories.

Unparalleled scale for data-intensive workloads

HPE Integrity MC990 X Server delivers in-memory computing performance for Linux-based applications at an unparalleled scale with mission-critical reliabilityandmodularflexibility.Anadvancedsymmetricmultiprocessing(SMP)systemdesignedfordata-intensiveworkloads,theHPEMC990XServer features enterprise-class Intel Xeon® E7-8800/4800 v4 processors androbustreliability,availability,andserviceability.The5Umodularchassiscontains4socketswithupto192threads.Byaddingchassisandleveraginghigh-bandwidthNUMAlinktechnology,theHPEMC990XServercanscaleasasinglesystemfrom4to32socketsandfrom1to48TBofcache-coherentsharedmemory.

Enabling the data-driven organization

TheHPEApolloFamilyisdesignedtodeliverefficientrack-scalesolutionsfor Big Data, analytics, object storage, and high-performance computing workloads.Withrack-scaleefficiency,theHPEApolloSystemsFamily:

n Deliversjusttherightamountofperformanceandefficiencywithsystemsoptimizedforspecificworkloads

n Accelerates time to value by reducing implementation timen Providesarchitecturalflexibilitywithbothscale-upandscale-outsolutionsn Helps reduce capital and operating expenditures (CAPEX and OPEX)

Singularity Community and SingularityPRO on HPE high-performance servers

9

Stronger platform, better support

While many components of an enterprise computing environment (local or cloud) consist

of essential open software components, administration and support of the software need to

comefromsomewhere.Inshort,“free”softwareisnotreallyfree.

Building on the success of Singularity

Community—an open source container

development platform used by over

25,000 top academic, government and

enterprise users, that’s installed on over

3 million cores and running over a million

jobs per day—SingularityPRO includes

numerous enterprise-grade support features:

n Long-term support, where security

patchesandbug-fixesarebackported

intoSingularityPROversions.Thisway,

administrators are released from the

burden of continually updating the

Singularity code base to the latest

open-sourceversion.n Early releases of security patches,

delivered to SingularityPRO customers

before propagation into the source

communityrelease.n Stability, by providing long-term

support, along with bug and security

fixes.n Customized service/support options,

enabling SingularityPRO users to choose

the tiered service/support option that

bestmeetstheirneeds.n Access to a vast ecosystem of resources,

including a container Remote Builder,

Container Library, and Key-signing

service(describedonright).

Figure 4: Subscription provides access to SingularityPRO and a vast ecosystem of ser-vices. Compare features and choose the right version for your organization.

SIF:SingleFileContainerFormat

CryptographicallyVerifiable

NoPersistentGlobalDaemonProcess

Support for Non-root Users

Running Containers

BlockingPrivilegeEscalationwithin a Container

“BringYourOwnEnvironment”Usage Model

SupportforAI/HPCWorkflowsand Architectures

SupportforGPUsNatively

Code Curation

Streamlined Security Updates

SylabsCloudFeatures

SignedPackagesandRepositories

Additional Self-Service Help

Container Build Services

Cryptographic Key Service

Container Library

Sing

ular

ityPR

O

Sing

ular

ity C

omm

unity

n

n

n

n

n

n

n

n

n

n

n

n

n

n

n

n

n

n

n

n

n

n

n

n

n

n

Features

Singularity Community and SingularityPRO on HPE high-performance servers

10

SingularityPRO add-on services

In2018,Sylabsismakingavailablemultiplevalue-addservicesforSingularityPRO.Access

to these services will be available for demonstration purposes to open source Singularity

Communityusers.Theserviceswillalsobeofferedundervarioustiers(trial,SMBplan,and

Enterpriseplan)toSingularityPROcustomers.

Remote Builder

Buildingacontainerrequireselevatedprivilege.InmanyHPCandEPCenvironments,

however,elevatedprivilegesarenotpossiblebecause:

n Regular users cannot have administrative access to any cluster resourcen Usinganexternalworkstationtobuildacontainerbreaksthechainoftrust

The Remote Builder addresses these challenges by moving the build process to a secure,

controlledenvironment.

Duringthebuildprocess,outputstreamsbacktotherequester,sotheusercanmonitor

thebuild’sprogress.Uponcompletion,theSIFimageistransferredbacktotheuser’s

workstation,fromwhichpointitcanbeexecutedwithSingularity,orsenttotheContainer

Library—withnoelevatedadministrativeprivilegesrequired.Inaddition,noworkflow

modificationsarenecessary.Addingasingleflagenablesthebuildtobecompleted

remotelywithoutelevatedprivilege.

The Remote Builder implements appropriate levels of isolation between the components

performingthebuildswithelevatedprivileges,isolatingthemfromasharedcluster.System

administratorsreceiveaturnkeysolutionthatempowersuserstobuildSingularityimages,as

wellasprovidesacentralizedauditingandmonitoringconsoleforSingularitybuilds.These

servicesareavailableinthecloudandon-premises.

Singularity Community and SingularityPRO on HPE high-performance servers

11

Container Library

TheContainerLibrarywascreatedanddesignedforhostingSingularityPROcontainers.The

full-featuredLibrarycanbehostedon-premisesinyourdatacenterortheSylabscloud.Users

can upload, download, search, and browse for containers in public and private areas, as well

asshareprivatecontainerswithotherusersorviaageneratedlink.Securityandprivacyinthe

Container Library are based on a user-owner of library objects, and the concept of public or

privatecollections.

Singularity Community and SingularityPRO on HPE high-performance servers

Key-signing and verification services

WithSingularity3.0,thenewSingularityImageFormat(SIF)willdelivercontainersigningand

validationservicestoSingularityandtheContainerLibrary.Thesekey-signingandverification

serviceseliminatetheriskofunknowinglydownloadingandrunningcompromisedorrogue

containers.

Theabilitytoquicklyidentifycontainerssignedbytrustedsources—bothinternaland

external—enhances an organization’s auditing capabilities and its ability to enforce policies

forrestrictingthetypesofcontainersallowedtorunonacluster.

Conclusions

Containers promise to seamlessly move applications between environments—from

developmenttoQAtoa10,000-nodecluster.Containersensurethateachapplicationwill

runthesamewayandwillproducethesameresultinanyenvironment—onlyfaster.

SingularityrunningonHPEHPCplatformssimplifiestheprocessofmovingcontainersacross

asingleinfrastructureoracrosshybridenvironments.Thissolutionalsopreservesprivilege

separation to satisfy the security, privacy, and auditing requirements found in all supercomputer

andenterpriseenvironments.

Raising the bar for container platforms, SingularityPRO running on HPE HPC platforms leverages

the power of AI, machine learning, and deep learning to deliver unique enterprise-level

services.SingularityPRO’sadvancedecosystemofresourcesnotonlyextendstheoverall

valueoftheplatformbutalsoextendsitseaseofuseandsecurity.

Thiswhitepaperisforinformationalpurposesonly.SYLABSMAKESNOWARRANTIES,EXPRESSORIMPLIED,INTHISWHITEPAPER.Sylabscannotberesponsibleforerrorsintypographyorphotography.

SingularityPROisatrademarkofSylabsInc.

Othertrademarksandtradenamesmaybeusedinthisdocumenttorefertoeithertheentitiesclaimingthemarksandnamesortheirproducts.Sylabsdisclaimsproprietaryinterestinthemarksandnamesofothers.

©Copyright2018SylabsInc.Allrightsreserved.

Informationinthisdocumentissubjecttochangewithoutnotice.

[1] https://451research.com/images/Marketing/press_releases/Application-container-market-will-reach-2-7bn-in-2020_final_graphic

[2]Eventhoughusershavelimitedaccesstoproductionsystems,theycanhavefulladministrativeaccesstotheirowndevelopmentvirtualmachine.

[3]Dockerdaemonattacksurface,https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface

sales@sylabs.iowww.sylabs.io/contactwww.sylabs.io

©2018Sylabs.io.Allrightreserved.