merging master into 2.4

GodloveD · GodloveD · commit db8a91bfafc9 · 2017-10-12T14:47:42.000-04:00
diff --git a/_posts/news/2017-09-13-docker-manifest-v2.md b/_posts/news/2017-09-13-docker-manifest-v2.md
@@ -0,0 +1,17 @@
+---
+title:  "Announcement: Problem downloading from Docker Hub to be resolved soon"
+category: news
+permalink: 2017-docker-problem
+---
+
+To all Singularity users,
+ 
+On Tuesday September 12, Docker released a new version of Docker image metadata.  This means that any new images built on Docker Hub cannot currently be downloaded using a singularity `pull` or other commands like `shell`, `exec`, and `bootstrap` when updated Docker registries are queried.
+ 
+Vanessa (`@v`) has created an interim fix for the problem and we have merged it into the development branch.  Pending further testing we plan to merge this fix into master and create a new minor release (2.3.2).  We will make another announcement as soon as it is ready to install. 
+ 
+Thanks for your patience! 
+ 
+The Singularity team
+
+{% include links.html %}
diff --git a/_posts/news/2017-09-26-scif-draft.md b/_posts/news/2017-09-26-scif-draft.md
@@ -0,0 +1,30 @@
+---
+title:  "Standard Container Integration Format (SCI-F) Final Draft"
+category: news
+permalink: 2017-scif-contribute
+---
+
+Hi Singularity Community!
+
+Thanks to everyone that provided comments on the early draft for SCI-F. The goals were initially:
+
+ - write specification draft (this was done via a Google Doc)
+ - implement into Singularity (now in [development branch](https://github.com/singularityware/singularityware.github.io/blob/docs/2.4/pages/docs/user-docs/docs-apps.md))
+ - get feedback on both, adjust implementation and draft
+ - do several (N=4) implemented use cases for SCI-F, write up ([available here](http://containers-ftw.org/apps/category/#Example))
+ - make an interactive, open source repository to contribute and share SCI-F apps [http://containers-ftw.org/apps/](http://containers-ftw.org/apps/)
+ - write up the (almost) "final" draft formally [http://containers-ftw.org/SCI-F/](http://containers-ftw.org/SCI-F/)
+
+I'm (`@vsoch`) happy to report that I've finished the above, and I'd like to ask the following:
+
+ - if you contributed, please check the AUTHORS file in the SCI-F repository to make sure that I added you, and spelled your name correctly (apologies in advance).
+ - Any further suggestions, additions, or entire new contributions can be added to the draft by way of pull request. I'm not in any rush, and if you have a good contribution, I want to help.
+ - If you have not contributed yet and would like to, see the ideas linked on the [draft abstract page](http://containers-ftw.org/SCI-F/). 
+
+The plan is (as of now) to submit this no later than the end of October, and I want to make sure everyone that wants to contribute has had ample chance. Indeed, with Singularity there are many ways to cook your container, and SCi-F definitely exemplifies that.
+
+![egg](/images/logo/three-ways.png)
+
+Thanks again everyone!
+
+{% include links.html %}
diff --git a/_posts/recipes/2017-01-26-singularity-hub-tutorial.md b/_posts/recipes/2017-01-26-singularity-hub-tutorial.md
@@ -30,7 +30,7 @@ The easiest thing to do is to install Singularity on your local workstation:
     sudo make install
 ```
 
-If you have the unfortunate situation of using a Mac, or just need a virtual machine, then you will want to follow the instructions <a href="http://singularity.lbl.gov/install-mac" target="_blank">here</a>. Basically, you need to install vagrant, virtual box, and then do this:
+If you are using a Mac, or just need a virtual machine, then you will want to follow the instructions <a href="http://singularity.lbl.gov/install-mac" target="_blank">here</a>. Basically, you need to install vagrant, virtual box, and then do this:
 
 ```bash
 vagrant init ubuntu/trusty64
diff --git a/_posts/releases/2017-09-15-release-2-3-2.md b/_posts/releases/2017-09-15-release-2-3-2.md
@@ -0,0 +1,96 @@
+---
+title:  "Singularity 2.3.2 Quick Fix Release"
+category: releases
+permalink: "release-2-3-2"
+targz: "2.3.2.tar.gz"
+---
+
+<a target="_blank" href="https://github.com/singularityware/singularity/releases/tag/2.3.2">Release 2.3.2 </a> This dot release includes a fix for a change that Docker implemented to their registry RESTful API which broke compatibility with Singularity (among several other low minor fixes).
+
+
+## What happened?
+
+
+**Where does Docker image metadata come from?**
+The Docker Registry serves metadata about images via manifests, where each image has a manifest that tells Singularity important information like environment, labels, and entrypoints and running command. Importantly, the image manifest serves the actual layers that should be obtained to create the image. The manifests come in different flavors, or schema versions. Version 1 serves the primary load of metadata (labels, environment) while the first release of version 2 served layers, and had the addition of size. This addition made it possible to pull an image with Singularity and calculate the size on the fly for images generated with support for this manifest.
+
+Singularity had an old default to retrieve the version 2 (done by way of a header asking for it), and ask it for layers. If the remote registry could only offer version 1, we were still able to obtain a list of layers (under a different key, `fsLayers` instead of `layers`) and metadata via the older (schema 1) manifest. However, with the update, the API version 2 schema can now return a <a href="https://docs.docker.com/registry/spec/manifest-v2-2/#manifest-list"> list of manifests</a>. This meant that when we checked the response for the keys `layers` or `fslayers`, they wouldn't be found, becaues we needed to look under `manifests`, and then do a second call to retrieve the manifest of interest based on a system architecture and OS. This of course broke most `import`, `shell`, `pull`, `exec`, because all of these commands require retrieving the layers.
+
+## The Patch
+A super quick fix would have been to fall back to the version 1 manifest, always, but then we would lose the automatic calculation of size, which is important to many users. The "better" fix is obvious - the code needs to:
+
+ - check for a `manifests` key
+ - if found, select a default manifest to use
+ - retrieve it, and continue!
+ - if not found, fall back to version 1
+
+This means that we've added environment variables `SINGULARITY_DOCKER_OS` and `SINGULARITY_DOCKER_ARCHITECTURE` to specify this choice, with defaults `linux` and `amd64`. This is a pretty exciting change, because it means down the line you (as a user!) can specify the specifics of the layers you want returned, given an image that has this metadata available. We can see the fix running as follows:
+
+
+```
+DEBUG 
+*** STARTING DOCKER IMPORT PYTHON  ****
+```
+This is the initialization of the Docker client, it's parsing the image name provided
+```
+DEBUG Starting Docker IMPORT, includes env, runscript, and metadata.
+VERBOSE Docker image: ubuntu:14.04
+VERBOSE2 Specified Docker ENTRYPOINT as %runscript.
+DEBUG Headers found: Content-Type,Accept
+VERBOSE Registry: index.docker.io
+VERBOSE Namespace: library
+VERBOSE Repo Name: ubuntu
+VERBOSE Repo Tag: 14.04
+VERBOSE Version: None
+```
+The initial poke to Docker hub asks for tags, to determine if we need some kind of token
+```
+VERBOSE Obtaining tags: https://index.docker.io/v2/library/ubuntu/tags/list
+DEBUG GET https://index.docker.io/v2/library/ubuntu/tags/list
+```
+
+401 means that we do, and with the response the API sends back the scope and other details we need to make to request it
+
+```
+DEBUG Http Error with code 401
+```
+
+Here we are requesting it
+```
+DEBUG GET https://auth.docker.io/token?service=registry.docker.io&expires_in=9000&scope=repository:library/ubuntu:pull
+DEBUG Headers found: Content-Type,Authorization,Accept
+```
+
+And here is the new bit. Instead of blindly doing one call, we have a function to update two versions of the manifest - the older (with metadata) and some version of the newer (with layers and size) with a fallback to use the version 1
+```
+DEBUG Updating manifests.
+
+# Here is version 2+
+DEBUG MANIFEST (Primary): not found, making initial call.
+VERBOSE Obtaining manifest: https://index.docker.io/v2/library/busybox/manifests/latest
+DEBUG GET https://index.docker.io/v2/library/busybox/manifests/latest
+
+# Here is version 1 (Metadata)
+DEBUG MANIFEST (Metadata): not found, making initial call.
+VERBOSE Obtaining manifest: https://index.docker.io/v2/library/busybox/manifests/latest
+DEBUG GET https://index.docker.io/v2/library/busybox/manifests/latest
+```
+Notice that the two calls are the same - that's because the headers are actually different, to request different ones.
+
+And here is the (new) indication that we found a list
+```
+DEBUG Image manifest version 2.2 list found.
+```
+Here is the default architecture / os
+```
+DEBUG Obtaining architecture: amd64, OS: linux
+```
+And the specific call to get it
+```
+VERBOSE Obtaining manifest: https://index.docker.io/v2/library/busybox/manifests/sha256:030fcb92e1487b18c974784dcc110a93147c9fc402188370fbfd17efabffc6af
+DEBUG GET https://index.docker.io/v2/library/busybox/manifests/sha256:030fcb92e1487b18c974784dcc110a93147c9fc402188370fbfd17efabffc6af
+```
+
+With this fix - we can again use `pull`/`import`, etc, and also have a working `singularity pull docker://busybox` that estimates the size automatically.
+
+Please report any additional bugs to <a target="_blank" href="https://github.com/singularityware/singularity/issues/new">our issues board.</a>
diff --git a/images/logo/three-ways.png b/images/logo/three-ways.png
diff --git a/pages/docs/overview/faq.md b/pages/docs/overview/faq.md
@@ -125,6 +125,7 @@ In the end, we do not gain anything by calling 'mpirun' from within the containe
 See the Singularity on HPC page for more details.
 
 ### Does Singularity support containers that require GPUs?
+
 Yes. Many users run GPU dependant code within Singularity containers.  The
 experimental `--nv` option allows you to leverage host GPUs without installing 
 system level drivers into your container. See the [`exec`](/docs-exec#a-gpu-example) command for
@@ -165,6 +166,34 @@ You can read more about the Singularity <a href="/docs-security">security overvi
 ## Troubleshooting
 A little bit of help.
 
+### Segfault on Bootstrap of Centos Image
+If you are bootstrapping a centos 6 docker image from a debian host, you might hit a segfault:
+
+```
+$ singularity shell docker://centos:6 
+Docker image path: index.docker.io/library/centos:6
+Cache folder set to /home/jbdenis/.singularity/docker
+Creating container runtime...
+Singularity: Invoking an interactive shell within container...
+
+Segmentation fault
+```
+
+The fix is on your host, you need to pass the variable `vsyscall=emulate` to the kernel, meaning in the file `/etc/default/grub` (note, this file is debian specific), add the following:
+
+```
+GRUB_CMDLINE_LINUX_DEFAULT="vsyscall=emulate"
+```
+
+and then update grub and reboot:
+
+```
+update-grub && reboot
+```
+
+Please note that this change might have <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/admin-guide/kernel-parameters.txt?h=v4.13-rc3#n4387" target="_blank">security implications</a> that you should be aware of. For more information, see the <a href="https://github.com/singularityware/singularity/issues/845" target="_blank">original issue</a>.
+
+
 ### How to use Singularity with GRSecurity enabled kernels
 To run Singularity on a GRSecurity enabled kernel, you must disable several security features:
 
diff --git a/pages/docs/user-docs/action-mount.md b/pages/docs/user-docs/action-mount.md
@@ -15,7 +15,7 @@ When Singularity 'swaps' the host operating system for the one inside your conta
 
 To *mount* a bind path inside the container, a **bind point** must be defined within the container. The bind point is a directory within the container that Singularity can use to bind a directory on the host system.  This means that if you want to bind to a point within the container such as `/global`, that directory must already exist within the container.
 
-It is however possible that the system administrator has enabled a Singularity feature called *overlay* in the `/etc/singularity/singularity.conf` file. This will cause the bind points to be created on an as needed basis so that the underlying container is not modified. But because the *overlay* feature is not always used or unavailable in some kernels, it maybe necessary for container standards to exist to ensure portability from host to host.
+It is however possible that the system administrator has enabled a Singularity feature called *overlay* in the `/etc/singularity/singularity.conf` file. This will cause the bind points to be created on an as needed basis in an overlay file system so that the underlying container is not modified. But because the *overlay* feature is not always used or is unavailable in some kernels, it may be necessary for container standards to exist to ensure portability from host to host.
 
 If a bind path is requested, and the bind point does not exist within the container, a warning message will be displayed, and Singularity will continue trying to start the container. For example:
 
diff --git a/pages/docs/user-docs/action-pull.md b/pages/docs/user-docs/action-pull.md
@@ -81,6 +81,18 @@ Progress |===================================| 100.0%
 Done. Container is at: /tmp/vsoch-hello-world-master.img
 ```
 
+### Pull by commit
+You can also pull different versions of your container by using their commit id (`version`). 
+
+```
+singularity pull shub://vsoch/hello-world@42e1f04ed80217895f8c960bdde6bef4d34fab59
+Progress |===================================| 100.0%
+Done. Container is at: ./vsoch-hello-world-master.img
+```
+
+In this example, the first build of this container will be pulled.
+
+
 ## Docker
 Docker pull is similar (on the surface) to a Singularity Hub pull, and we would do the following:
 
diff --git a/pages/docs/user-docs/action-shell.md b/pages/docs/user-docs/action-shell.md
@@ -6,7 +6,7 @@ folder: docs
 toc: false
 ---
 
-The `shell` Singularity sub-command will automatically spawn an interactive shell within a container. As of v2.3 the default shell that is spawned via the `shell` command is Bash if it exists otherwise `/bin/sh` is called.
+The `shell` Singularity sub-command will automatically spawn an interactive shell within a container. As of v2.3 the default shell that is spawned via the `shell` command is `/bin/bash` if it exists otherwise `/bin/sh` is called.
 
 {% include toc.html %}
 
diff --git a/pages/docs/user-docs/docs-docker.md b/pages/docs/user-docs/docs-docker.md
@@ -92,7 +92,7 @@ Registry: pancakes.registry.index.io
 Namespace: blue/berry/cream
 ```
 
-The power of bootstrap comes with the other stuff that you can do! This means running specific install commands, specifying your containers runscript (what it does when you execute it), adding files, labels, and customizing the environment. Here is a full Singularity file:
+The power of build comes with the other stuff that you can do! This means running specific install commands, specifying your containers runscript (what it does when you execute it), adding files, labels, and customizing the environment. Here is a full Singularity file:
 
 
 ```bash
@@ -196,7 +196,7 @@ Namespace: library
 ```
 
 ## Custom Authentication
-For both import and bootstrap using a build spec file, by default we use the Docker Registry `index.docker.io`. Singularity first tries the call without a token, and then asks for one with pull permissions if the request is defined. However, it may be the case that you want to provide a custom token for a private registry. You have two options. You can either provide a `Username` and `Password` in the build specification file (if stored locally and there is no need to share), or (in the case of doing an import or needing to secure the credentials) you can export these variables to environmental variables. We provide instructions for each of these cases:
+For both import and build using a build spec file, by default we use the Docker Registry `index.docker.io`. Singularity first tries the call without a token, and then asks for one with pull permissions if the request is defined. However, it may be the case that you want to provide a custom token for a private registry. You have two options. You can either provide a `Username` and `Password` in the build specification file (if stored locally and there is no need to share), or (in the case of doing an import or needing to secure the credentials) you can export these variables to environmental variables. We provide instructions for each of these cases:
 
 
 ### Authentication in the Singularity Build File
@@ -258,8 +258,6 @@ Have any more best practices? Please <a href="https://www.github.com/singularity
 
 
 ## Troubleshooting
-Why won't my image bootstrap work? If you can't find an answer on this site, please <a href="https://www.github.com/singularityware/singularity/issues" target="_blank">ping us an issue</a>.
+Why won't my image build work? If you can't find an answer on this site, please <a href="https://www.github.com/singularityware/singularity/issues" target="_blank">ping us an issue</a>.
 If you've found an answer and you'd like to see it on the site for others to benefit from, then post to us <a href="https://www.github.com/singularityware/singularityware.github.io/issues" target="_blank">here</a>.
 
-## Future
-This entire process will hopefully change in two ways. First, we hope to collapse the image creation and bootstrapping, so you have the option to do them both in one full swing. Second, we hope to eventually figure out some kind of solution to import Docker containers without needing sudo.
