Idea #11724
closedPull Docker images without requiring Docker on client
Description
Web-only users do not have access to Docker on the client (in addition, some shell users don't have access to Docker for security reasons, for example visitors to cloud.curoverse.com). Ther should be a mechanism to submit a request to pull a Docker image for use in Arvados.
Possible solutions:
Unprivileged pull inside a normal container request¶
There's at least one utility for pulling/manipulating images:
https://github.com/projectatomic/skopeo
However last I checked it doesn't support conversion to the "docker save" tarfile dump that we use. Maybe we could add support.
Special container request¶
Special format container request recognized by crunch-run which executes "docker pull" (instead of "docker run") and produces the image collection as output.
Dedicated "docker pull" service and/or WES¶
New microservice with API for "pull image". This would avoid the overhead of starting up a dedicated VM to run a download process that usually only takes a few seconds.
Note: the Workflow Execution Service (WES) server sort of already does this; if workflow run is submitted that requires pulling Docker images, it will pull them and upload them. This is existing arvados-cwl-runner behavior which normally requires Docker on the client, but in the case of WES, the WES gateway is the agent that runs arvados-cwl-runner and not the original client.
So there's also an option to migrate clients that submit workflows (a-c-r, workbench, composer) to use Arvados WES instead of directly creating container requests.
Arvados Docker registry service¶
Deploy https://github.com/docker/distribution or implement the API https://docs.docker.com/registry/spec/api/ . Store layers in keep instead of whole image tarballs. Regular "docker push" and "docker pull" works. Unprivileged import is more tractable by avoiding format conversion.
Additional consideration: to access private registries, we need to provide credentials. Secrets handling is available for container requests.
Related issues
Updated by Tom Morris about 7 years ago
- Target version set to Arvados Future Sprints
Updated by Tom Clegg over 6 years ago
- Related to Idea #13325: As a CWL learner, I would like to be able to run CWL workflows easily on playground added
Updated by Peter Amstutz over 6 years ago
- Is duplicate of Idea #9046: [Crunch2] Can issue container request to pull and import Docker images added
Updated by Tom Morris over 6 years ago
- Tracker changed from Bug to Idea
- Target version changed from Arvados Future Sprints to To Be Groomed
Updated by Peter Amstutz over 6 years ago
- Subject changed from Import Docker images without requiring Docker on client to Pull Docker images without requiring Docker on client
- Description updated (diff)
Updated by Peter Amstutz over 6 years ago
- Related to Idea #13794: Build Docker images without requiring Docker on client added
Updated by Peter Amstutz over 3 years ago
- Target version deleted (
To Be Groomed)
Updated by Peter Amstutz over 2 years ago
- Target version set to 2022-08-31 sprint
Updated by Peter Amstutz over 2 years ago
- Target version changed from 2022-08-31 sprint to 2022-09-14 sprint
Updated by Peter Amstutz over 2 years ago
- Target version changed from 2022-09-14 sprint to 2022-10-12 sprint
Updated by Peter Amstutz about 2 years ago
- Related to Idea #16447: Improve container image handling added
Updated by Peter Amstutz about 2 years ago
- Target version changed from 2022-10-12 sprint to 2022-10-26 sprint
Updated by Peter Amstutz about 2 years ago
- Target version changed from 2022-10-26 sprint to 2022-11-09 sprint
Updated by Peter Amstutz about 2 years ago
- Target version changed from 2022-11-09 sprint to 2022-11-23 sprint
Updated by Peter Amstutz about 2 years ago
- Target version changed from 2022-11-23 sprint to 2022-12-07 Sprint
Updated by Peter Amstutz about 2 years ago
- Target version changed from 2022-12-07 Sprint to 2022-12-21 Sprint
Updated by Peter Amstutz almost 2 years ago
- Target version changed from 2022-12-21 Sprint to 2023-01-18 sprint
Updated by Peter Amstutz almost 2 years ago
- Target version changed from 2023-01-18 sprint to 2022-12-07 Sprint
Updated by Tom Clegg almost 2 years ago
- Status changed from New to In Progress
Updated Build docker images as part of a workflow
Benefits of the "special container request" approach- Doesn't require docker on system nodes, only on compute nodes where it is typically already installed
- Maintains the reproducibility feature of retaining the exact image that was used to run each workflow step (except the "pull" process itself, which is inherently not reproducible)
Updated by Tom Clegg almost 2 years ago
- Related to deleted (Idea #13794: Build Docker images without requiring Docker on client)
Updated by Tom Clegg almost 2 years ago
- Has duplicate Idea #13794: Build Docker images without requiring Docker on client added
Updated by Tom Clegg almost 2 years ago
- Has duplicate deleted (Idea #13794: Build Docker images without requiring Docker on client)
Updated by Tom Clegg almost 2 years ago
- Related to Idea #13794: Build Docker images without requiring Docker on client added
Updated by Tom Clegg almost 2 years ago
- Status changed from In Progress to Closed
Updated by Tom Clegg almost 2 years ago
- Blocked by Feature #19846: Use collection properties instead of links to tag docker images added
Updated by Peter Amstutz almost 2 years ago
- Status changed from New to Resolved
Updated by Tom Clegg over 1 year ago
- Related to Feature #19860: Support "pull image" container request added