Running Open OnDemand in a Docker Swarm

dtenenba · October 27, 2022, 5:52pm

Hi,

I’m wondering if I can set up Open OnDemand to run in a Docker Swarm Cluster. I have previously set up a whole demo Slurm cluster (where the master and compute nodes all ran as Docker containers) with Open OnDemand, running in docker-compose. But this time I want to set up the Open OnDemand app to use our actual Slurm cluster, but I’d like the app to be hosted in our Docker Swarm cluster.

So that’s my general question, and I have some specific sub-questions:

Do I need to fully set up the Open OnDemand machine as a login node? Could I instead set up wrappers to my slurm commands (sbatch, srun, sacct, etc) that ssh to a real login node and run them there?
Our Docker Swarm cluster is using Traefik for service discovery and SSL termination. Can I disable the SSL termination in Open OnDemand so that I can let Traefik handle it?
I have an existing Dockerfile that I developed for my previous demo version, but I’m wondering if there is a Dockerfile out there that I can look at as an example of how to run a production instance of OnDemand in Docker.

Thanks.

jeff.ohrstrom · October 28, 2022, 1:29pm

The issue here is UID matching. If you have wrapper scripts for sbatch then the user issuing that command (or the ssh command) should be the UID of the actual user. So in the container itself it needs to fork and become that real user. So you’ve got an issue of UID mapping that’s likely going to require SSSD stack mounted into the container.
Probably - but you’d need this hack so that OOD will respond to http requests.

github.com/OSC/ondemand

HTTP 422 Error / InvalidAuthenticityToken

opened 09:43AM - 31 May 21 UTC

closed 02:38PM - 17 Jun 21 UTC

GloktarFR

bug

After a fresh installation of OOD-2.0.9 on CentOS-7.9, I'm unable to use batch c…onnect applications. The navigation through the dashboard (file explorer, shell, etc.) is working well though. But every time I try to submit a job in an interactive session, I'm getting a HTTP 422 Error. In the /var/log/ondemand-nginx/<user>/error.log, I'm seeing this error message: ``` App 19736 output: [2021-05-31 09:51:01 +0200 ] WARN "Can't verify CSRF token authenticity." App 19736 output: [2021-05-31 09:51:01 +0200 ] INFO "method=POST path=/pun/sys/dashboard/batch_connect/sys/bc_desktop_3d/session_contexts format=html controller=BatchConnect::SessionContextsController action=create status=422 error='ActionController::InvalidAuthenticityToken: ActionController::InvalidAuthenticityToken' duration=0.73 view=0.00" App 19736 output: [2021-05-31 09:51:01 +0200 ] FATAL "" App 19736 output: [2021-05-31 09:51:01 +0200 ] FATAL "ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):" App 19736 output: [2021-05-31 09:51:01 +0200 ] FATAL "" App 19736 output: [2021-05-31 09:51:01 +0200 ] FATAL "actionpack (5.2.6) lib/action_controller/metal/request_forgery_protection.rb:215:in `handle_unverified_request'\nactionpack (5.2.6) lib/action_controller/metal/request_forgery_protection.rb:247:in `handle_unverified_request'\nactionpack (5.2.6) lib/action_controller/metal/request_forgery_protection.rb:242:in `verify_authenticity_token'\nactivesupport (5.2.6) lib/active_support/callbacks.rb:426:in `block in make_lambda'\nactivesupport (5.2.6) lib/active_support/callbacks.rb:198:in `block (2 levels) in halting'\nactionpack (5.2.6) lib/abstract_controller/callbacks.rb:34:in `block (2 levels) in <module:Callbacks>'\nactivesupport (5.2.6) lib/active_support/callbacks.rb:199:in `block in halting'\nactivesupport (5.2.6) lib/active_support/callbacks.rb:513:in `block in invoke_before'\nactivesupport (5.2.6) lib/active_support/callbacks.rb:513:in `each'\nactivesupport (5.2.6) lib/active_support/callbacks.rb:513:in `invoke_before'\nactivesupport (5.2.6) lib/active_support/callbacks.rb:131:in `run_callbacks'\nactionpack (5.2.6) lib/abstract_controller/callbacks.rb:41:in `process_action'\nactionpack (5.2.6) lib/action_controller/metal/rescue.rb:22:in `process_action'\nactionpack (5.2.6) lib/action_controller/metal/instrumentation.rb:34:in `block in process_action'\nactivesupport (5.2.6) lib/active_support/notifications.rb:168:in `block in instrument'\nactivesupport (5.2.6) lib/active_support/notifications/instrumenter.rb:23:in `instrument'\nactivesupport (5.2.6) lib/active_support/notifications.rb:168:in `instrument'\nactionpack (5.2.6) lib/action_controller/metal/instrumentation.rb:32:in `process_action'\nactionpack (5.2.6) lib/action_controller/metal/params_wrapper.rb:256:in `process_action'\nactionpack (5.2.6) lib/abstract_controller/base.rb:134:in `process'\nactionview (5.2.6) lib/action_view/rendering.rb:32:in `process'\nactionpack (5.2.6) lib/action_controller/metal.rb:191:in `dispatch'\nactionpack (5.2.6) lib/action_controller/metal.rb:252:in `dispatch'\nactionpack (5.2.6) lib/action_dispatch/routing/route_set.rb:52:in `dispatch'\nactionpack (5.2.6) lib/action_dispatch/routing/route_set.rb:34:in `serve'\nactionpack (5.2.6) lib/action_dispatch/journey/router.rb:52:in `block in serve'\nactionpack (5.2.6) lib/action_dispatch/journey/router.rb:35:in `each'\nactionpack (5.2.6) lib/action_dispatch/journey/router.rb:35:in `serve'\nactionpack (5.2.6) lib/action_dispatch/routing/route_set.rb:840:in `call'\nrack (2.2.3) lib/rack/tempfile_reaper.rb:15:in `call'\nrack (2.2.3) lib/rack/etag.rb:27:in `call'\nrack (2.2.3) lib/rack/conditional_get.rb:40:in `call'\nrack (2.2.3) lib/rack/head.rb:12:in `call'\nactionpack (5.2.6) lib/action_dispatch/http/content_security_policy.rb:18:in `call'\nrack (2.2.3) lib/rack/session/abstract/id.rb:266:in `context'\nrack (2.2.3) lib/rack/session/abstract/id.rb:260:in `call'\nactionpack (5.2.6) lib/action_dispatch/middleware/cookies.rb:670:in `call'\nactionpack (5.2.6) lib/action_dispatch/middleware/callbacks.rb:28:in `block in call'\nactivesupport (5.2.6) lib/active_support/callbacks.rb:98:in `run_callbacks'\nactionpack (5.2.6) lib/action_dispatch/middleware/callbacks.rb:26:in `call'\nactionpack (5.2.6) lib/action_dispatch/middleware/debug_exceptions.rb:61:in `call'\nactionpack (5.2.6) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'\nlograge (0.11.2) lib/lograge/rails_ext/rack/logger.rb:15:in `call_app'\nrailties (5.2.6) lib/rails/rack/logger.rb:26:in `block in call'\nactivesupport (5.2.6) lib/active_support/tagged_logging.rb:71:in `block in tagged'\nactivesupport (5.2.6) lib/active_support/tagged_logging.rb:28:in `tagged'\nactivesupport (5.2.6) lib/active_support/tagged_logging.rb:71:in `tagged'\nrailties (5.2.6) lib/rails/rack/logger.rb:26:in `call'\nactionpack (5.2.6) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'\nrequest_store (1.5.0) lib/request_store/middleware.rb:19:in `call'\nactionpack (5.2.6) lib/action_dispatch/middleware/request_id.rb:27:in `call'\nrack (2.2.3) lib/rack/method_override.rb:24:in `call'\nrack (2.2.3) lib/rack/runtime.rb:22:in `call'\nactivesupport (5.2.6) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'\nactionpack (5.2.6) lib/action_dispatch/middleware/executor.rb:14:in `call'\nrack (2.2.3) lib/rack/sendfile.rb:110:in `call'\nrailties (5.2.6) lib/rails/engine.rb:524:in `call'\n/opt/rh/ondemand/root/usr/share/ruby/vendor_ruby/phusion_passenger/rack/thread_handler_extension.rb:107:in `process_request'\n/opt/rh/ondemand/root/usr/share/ruby/vendor_ruby/phusion_passenger/request_handler/thread_handler.rb:157:in `accept_and_process_next_request'\n/opt/rh/ondemand/root/usr/share/ruby/vendor_ruby/phusion_passenger/request_handler/thread_handler.rb:110:in `main_loop'\n/opt/rh/ondemand/root/usr/share/ruby/vendor_ruby/phusion_passenger/request_handler.rb:416:in `block (3 levels) in start_threads'\n/opt/rh/ondemand/root/usr/share/ruby/vendor_ruby/phusion_passenger/utils.rb:113:in `block in create_thread_and_abort_on_exception'" ``` Any idea what's causing this ? I have this exact same installation with ondemand-1.8.20 and it's working fine.

I don’t have this but I know for sure you should install the packages in the container (dep or rpm). Building OOD from the source in the container is discouraged.

ashokr · October 28, 2022, 7:45pm

@dtenenba We are currently using OOD in docker at Brown. We do have an external facing VM that NFS mounts our HPC file systems including slurm on the container and then we run munge and nis within the container for authentication to slurm. Essentially, we recreated the VM in a container with system services including NIS and munge to ensure that we can correctly authenticate users. Our main system is also running shib for campus-wide login. Our docker repos are private to maintain sensitive info, but will be happy to share our Dockerfile with you.

ashokr · October 28, 2022, 7:48pm

@dtenenba I also will be happy to hop on a zoom call sometime to walk through our setup if that’s more helpful. There are some specifics related to how the over system is setup with the organization and hopefully I can help with untangling some of them

system · April 26, 2023, 7:48pm

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Submit to scheduler on seperate node from OndDemand node Get Help	5	631	May 26, 2022
Install on single server Get Help	5	1346	May 26, 2022
Multiple SLURM clusters and OnDemand Get Help question	5	1404	May 17, 2022
Integration of QuickEMU with Open OnDemand Feature Requests and Roadmap Discussion question	2	565	July 6, 2023
Missing option flags in sbatch command of remote desktop? Get Help question	2	99	January 19, 2024

Running Open OnDemand in a Docker Swarm

Related Topics