Service containers » History » Version 3
Peter Amstutz, 02/04/2025 08:46 PM
| 1 | 1 | Peter Amstutz | h1. Service containers |
|---|---|---|---|
| 2 | |||
| 3 | Concept: Containers launched via the Crunch infrastructure, but provide a network port that things can connect to. |
||
| 4 | |||
| 5 | 2 | Peter Amstutz | Arvados epic: https://dev.arvados.org/issues/17207 |
| 6 | |||
| 7 | 3 | Peter Amstutz | h2. Uses cases |
| 8 | 1 | Peter Amstutz | |
| 9 | 2 | Peter Amstutz | * Applications providing an API |
| 10 | ** a bunch of data needs to be loaded into RAM before it can be used, queried, or computed on |
||
| 11 | ** e.g. large language models, databases, function-as-a-service |
||
| 12 | 1 | Peter Amstutz | ** Makes sense when the time spent on any given query is much much smaller than the loading time |
| 13 | 2 | Peter Amstutz | |
| 14 | * User facing web applications |
||
| 15 | ** e.g. Integrative Genomics Viewer (IGV), Jupyter notebooks |
||
| 16 | ** Also includes web applications that interact with an API (first bullet) |
||
| 17 | 1 | Peter Amstutz | |
| 18 | 3 | Peter Amstutz | h2. Fundamental requirement |
| 19 | |||
| 20 | Crunch launches a container and makes it possible for an outside client to communicate with the container. |
||
| 21 | |||
| 22 | h2. Discussion points |
||
| 23 | |||
| 24 | h3. Communication between containers |
||
| 25 | |||
| 26 | Exposing services to outside vs communication between containers on the inside have different requirements. |
||
| 27 | |||
| 28 | Outside: Must be able to connect from outside. Because containers are on a private network, some kind of proxying or NAT is required. |
||
| 29 | |||
| 30 | Inside: Assuming containers are on the same private network and can route to each other, can communicate using direct TCP connections. |
||
| 31 | |||
| 32 | h3. HTTP only, or arbitrary TCP connections? |
||
| 33 | |||
| 34 | HTTP only: Can proxy HTTP requests using wildcard DNS and "Host:" headers, we have a lot of machinery to do that already. Can apply Arvados authentication to requests, e.g. clients have to provide an Arvados token and can only communicate with containers that have read access to. Cannot host things that don't use HTTP. |
||
| 35 | |||
| 36 | Arbitrary TCP: Would need to apply NAT or connection tunneling to connections on an arbitrary external port that is associated with the container. We don't have machinery to do this. Authentication is left up to the service. Can host things that have their own protocols, such as postgresql or ssh. |
||
| 37 | |||
| 38 | Container shell uses connection tunneling, it makes a HTTP connection and doing a connection upgrade to SSH. This requires special cooperation between arvados-client and ssh, which doesn't generalize. |
||
| 39 | |||
| 40 | Internal-only connections (between containers) may be a bit easier to orchestrate arbitrary TCP connections (no tunneling required). Authentication is still left up to the container, or requires fiddling with firewall rules on the fly to control who can access the container. |
||
| 41 | |||
| 42 | 1 | Peter Amstutz | h2. |
| 43 | 3 | Peter Amstutz | |
| 44 | |||
| 45 | * Running container can expose one or more TCP service ports. |
||
| 46 | * Internal crunch containers should be able to connect to the service |
||
| 47 | * External clients should be able to connect to the service. |