Rob Nagler <openmpi-wo...@q33.us> writes: > Thanks, John. I sometimes wonder if I'm the only one out there with this > particular problem. > > Ralph, thanks for sticking with me. :) Using a pool of uids doesn't really > work due to the way cgroups/containers works. It also would require > changing the permissions of all of the user's files, which would create > issues for Jupyter/Hub's access to the files, which is used for in situ > monitoring.
Skimming back at this, like Ralph I really don't understand it as a maintainer of a resource manager (at a level above Ralph's) and as someone who formerly had the "pleasure" of HEP requirements which attempted to defeat essentially any reasonable management policy. (It seems off-topic here.) Amongst reasons for not running Docker, a major one that I didn't notice raised is that containers are not started by the resource manager, but by a privileged daemon, so the resource manager can't directly control or monitor them. >From a brief look at Jupyter when it came up a while ago, I wouldn't want to run it, and I wasn't alone. (I've been lectured about the lack of problems with such things by people on whose clusters I could trivially run jobs as any normal user and sometimes as root.) +1 for what Ralph said about singularity in particular. While there's work to be done, you could even convert docker images on the fly in a resource manager prolog. I'm awaiting enlightenment on the on-topic issue of running MPI jobs with it, though.
