[aspect-devel] Interest in providing and using software containers

[Rene Gassmoeller]

Hi all, sorry for the late follow-up.

Quick summary of my experience while I set up the ASPECT docker 
container, and why I stopped continuing the work:

Pros of Docker/containers:

- I think Docker provides a nice and simple way to install software on 
systems that have already installed Docker. It is also simple to update 
the containers via docker-hub (no hassle while updating to a new version 
with new dependencies).

- The containers are easy to keep up-to-date with the webhook in github 
that lets you create new containers on docker-hub every time you update 
your repository

- It is a nice way to circumvent/reduce the slowdown of a VM, and also 
works quite well under Windows and MacOS (using your native environment 
for preparation and visualization, and only run the model inside Docker).

Cons that finally lead me to not longer continue the work:

- Installing Docker on systems where you are not an admin is complicated 
and a security threat as Timo explained. I have not followed the 
discussion in the last year, maybe they have improved some things. One 
way to circumvent this is to install inside a VM, but then we do not 
gain much from the container.

- Given that Docker for me is therefore a solution for automated tasks 
on personal laptops or desktops it does not seem critical to reduce the 
slowdown of a VM (30%) to that of a container (<5% on Linux / 10% on 
Windows using docker-vm). If large HPC centers would start to use Docker 
instead of their current module systems I could see that encouraging 
users to start with docker on their local machine would ease the 
transition towards using clusters, but I do not know if that is happening?

- For tutorials having a unified environment of a VM seems easier than 
to deal with everyone's personal laptop configurations. E.g. I had some 
trouble setting docker up on an older Ubuntu machine, because I needed 
to create a new user, set user permissions, and some other things before 
I was able to mount a folder into the docker container.


That being said, I am not generally opposed to offering docker files for 
ASPECT if people see them as useful. I was merely not convinced that 
they add much to the current VM (and did not want to spend the time 
maintaining them). If we decide to create files feel free to use my 
docker file as a starting point, although Timo's is likely more advanced 
now. I would argue for keeping a copy of the CIG-file also in the ASPECT 
repo. This way we could automatically build a new container every time a 
pull request is merged, and check that the file still works.


Best,

Rene



On 02/06/2017 11:42 AM, Timo Heister wrote:
>> Can you elaborate more on this?  My impression is that VMs work extremely well in tutorials by giving everyone a guaranteed working system, but it can be a bit of a barrier for people to transition to using the software for research on their own after the tutorial. My impression is that containers would help with this because the use environment can be the same during and after the tutorials. On the other hand, your comment suggests that VMs would be better at assuring success during the tutorial itself.
> I don't see any advantage in docker for transitioning to using the
> software for research. Why do you think so?
>
> A couple of things why I am hesitant to advertise docker:
> - The GUI experience is not great. While you can access the files
> inside, this is not without problems. Bundling X applications like
> paraview blows up the containers (to the point where they are as big
> as a vm). I don't have any experience running X applications with
> docker on windows but I would expect this to be a problem. This makes
> it impossible to use during tutorials and difficult afterwards. The
> only exception would be if everything is in jupyter notebooks.
> - Docker is ephemeral by default. This means any data is gone after
> you exit your container unless you do the extra effort to create data
> volumes or mount host directories. This is complicated (need to
> understand the differences between containers and images, etc.).
> - User accounts/isolation/permissions/mounting is still a problem. If
> you mount files inside your docker container, you have to be really
> careful about user ids. This is very difficult to understand
> especially for novices. Mounting a shared directory using virtualbox
> is much easier and also works on windows.
> - Security. Using docker requires root access on linux. I am not root
> on my workstation in my office so I am unable to use it (without
> jumping through hoops). Getting an admin to install virtualbox is easy
> (in fact it is installed by default here). Any docker container you
> run can take over your system. (Yes, I know you can run docker inside
> a vm, docker-machine is great).
> - VMs are much easier to understand. How do you explain things like
> starting/stopping/deleting containers, retaining files, etc.? Compare
> this with the default experience for
> http://www.math.clemson.edu/~heister/dealvm/ You download, double
> click, hit run and you are greeted with an open firefox windows inside
> the vm with information about the software and where to find help. You
> can stop and restart whenever you want and you keep all your files.
>
> Don't get me wrong, I use docker a lot (daily), but I think it is only
> good for advanced users.
>
> Best,
> Timo
>
>