Running Open OnDemand in a Docker Swarm

dtenenba · October 27, 2022, 5:52pm

Hi,

I’m wondering if I can set up Open OnDemand to run in a Docker Swarm Cluster. I have previously set up a whole demo Slurm cluster (where the master and compute nodes all ran as Docker containers) with Open OnDemand, running in docker-compose. But this time I want to set up the Open OnDemand app to use our actual Slurm cluster, but I’d like the app to be hosted in our Docker Swarm cluster.

So that’s my general question, and I have some specific sub-questions:

Do I need to fully set up the Open OnDemand machine as a login node? Could I instead set up wrappers to my slurm commands (sbatch, srun, sacct, etc) that ssh to a real login node and run them there?
Our Docker Swarm cluster is using Traefik for service discovery and SSL termination. Can I disable the SSL termination in Open OnDemand so that I can let Traefik handle it?
I have an existing Dockerfile that I developed for my previous demo version, but I’m wondering if there is a Dockerfile out there that I can look at as an example of how to run a production instance of OnDemand in Docker.

Thanks.

jeff.ohrstrom · October 28, 2022, 1:29pm

The issue here is UID matching. If you have wrapper scripts for sbatch then the user issuing that command (or the ssh command) should be the UID of the actual user. So in the container itself it needs to fork and become that real user. So you’ve got an issue of UID mapping that’s likely going to require SSSD stack mounted into the container.
Probably - but you’d need this hack so that OOD will respond to http requests.

github.com/OSC/ondemand

HTTP 422 Error / InvalidAuthenticityToken

opened 09:43AM - 31 May 21 UTC

closed 02:38PM - 17 Jun 21 UTC

GloktarFR

bug

After a fresh installation of OOD-2.0.9 on CentOS-7.9, I'm unable to use batch c…onnect applications. The navigation through the dashboard (file explorer, shell, etc.) is working well though. But every time I try to submit a job in an interactive session, I'm getting a HTTP 422 Error. In the /var/log/ondemand-nginx/<user>/error.log, I'm seeing this error message: ``` App 19736 output: [2021-05-31 09:51:01 +0200 ] WARN "Can't verify CSRF token authenticity." App 19736 output: [2021-05-31 09:51:01 +0200 ] INFO "method=POST path=/pun/sys/dashboard/batch_connect/sys/bc_desktop_3d/session_contexts format=html controller=BatchConnect::SessionContextsController action=create status=422 error='ActionController::InvalidAuthenticityToken: ActionController::InvalidAuthenticityToken' duration=0.73 view=0.00" App 19736 output: [2021-05-31 09:51:01 +0200 ] FATAL "" App 19736 output: [2021-05-31 09:51:01 +0200 ] FATAL "ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):" App 19736 output: [2021-05-31 09:51:01 +0200 ] FATAL "" App 19736 output: [2021-05-31 09:51:01 +0200 ] FATAL "actionpack (5.2.6) lib/action_controller/metal/request_forgery_protection.rb:215:in `handle_unverified_request'\nactionpack (5.2.6) lib/action_controller/metal/request_forgery_protection.rb:247:in `handle_unverified_request'\nactionpack (5.2.6) lib/action_controller/metal/request_forgery_protection.rb:242:in `verify_authenticity_token'\nactivesupport (5.2.6) lib/active_support/callbacks.rb:426:in `block in make_lambda'\nactivesupport (5.2.6) lib/active_support/callbacks.rb:198:in `block (2 levels) in halting'\nactionpack (5.2.6) lib/abstract_controller/callbacks.rb:34:in `block (2 levels) in <module:Callbacks>'\nactivesupport (5.2.6) lib/active_support/callbacks.rb:199:in `block in halting'\nactivesupport (5.2.6) lib/active_support/callbacks.rb:513:in `block in invoke_before'\nactivesupport (5.2.6) lib/active_support/callbacks.rb:513:in `each'\nactivesupport (5.2.6) lib/active_support/callbacks.rb:513:in `invoke_before'\nactivesupport (5.2.6) lib/active_support/callbacks.rb:131:in `run_callbacks'\nactionpack (5.2.6) lib/abstract_controller/callbacks.rb:41:in `process_action'\nactionpack (5.2.6) lib/action_controller/metal/rescue.rb:22:in `process_action'\nactionpack (5.2.6) lib/action_controller/metal/instrumentation.rb:34:in `block in process_action'\nactivesupport (5.2.6) lib/active_support/notifications.rb:168:in `block in instrument'\nactivesupport (5.2.6) lib/active_support/notifications/instrumenter.rb:23:in `instrument'\nactivesupport (5.2.6) lib/active_support/notifications.rb:168:in `instrument'\nactionpack (5.2.6) lib/action_controller/metal/instrumentation.rb:32:in `process_action'\nactionpack (5.2.6) lib/action_controller/metal/params_wrapper.rb:256:in `process_action'\nactionpack (5.2.6) lib/abstract_controller/base.rb:134:in `process'\nactionview (5.2.6) lib/action_view/rendering.rb:32:in `process'\nactionpack (5.2.6) lib/action_controller/metal.rb:191:in `dispatch'\nactionpack (5.2.6) lib/action_controller/metal.rb:252:in `dispatch'\nactionpack (5.2.6) lib/action_dispatch/routing/route_set.rb:52:in `dispatch'\nactionpack (5.2.6) lib/action_dispatch/routing/route_set.rb:34:in `serve'\nactionpack (5.2.6) lib/action_dispatch/journey/router.rb:52:in `block in serve'\nactionpack (5.2.6) lib/action_dispatch/journey/router.rb:35:in `each'\nactionpack (5.2.6) lib/action_dispatch/journey/router.rb:35:in `serve'\nactionpack (5.2.6) lib/action_dispatch/routing/route_set.rb:840:in `call'\nrack (2.2.3) lib/rack/tempfile_reaper.rb:15:in `call'\nrack (2.2.3) lib/rack/etag.rb:27:in `call'\nrack (2.2.3) lib/rack/conditional_get.rb:40:in `call'\nrack (2.2.3) lib/rack/head.rb:12:in `call'\nactionpack (5.2.6) lib/action_dispatch/http/content_security_policy.rb:18:in `call'\nrack (2.2.3) lib/rack/session/abstract/id.rb:266:in `context'\nrack (2.2.3) lib/rack/session/abstract/id.rb:260:in `call'\nactionpack (5.2.6) lib/action_dispatch/middleware/cookies.rb:670:in `call'\nactionpack (5.2.6) lib/action_dispatch/middleware/callbacks.rb:28:in `block in call'\nactivesupport (5.2.6) lib/active_support/callbacks.rb:98:in `run_callbacks'\nactionpack (5.2.6) lib/action_dispatch/middleware/callbacks.rb:26:in `call'\nactionpack (5.2.6) lib/action_dispatch/middleware/debug_exceptions.rb:61:in `call'\nactionpack (5.2.6) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'\nlograge (0.11.2) lib/lograge/rails_ext/rack/logger.rb:15:in `call_app'\nrailties (5.2.6) lib/rails/rack/logger.rb:26:in `block in call'\nactivesupport (5.2.6) lib/active_support/tagged_logging.rb:71:in `block in tagged'\nactivesupport (5.2.6) lib/active_support/tagged_logging.rb:28:in `tagged'\nactivesupport (5.2.6) lib/active_support/tagged_logging.rb:71:in `tagged'\nrailties (5.2.6) lib/rails/rack/logger.rb:26:in `call'\nactionpack (5.2.6) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'\nrequest_store (1.5.0) lib/request_store/middleware.rb:19:in `call'\nactionpack (5.2.6) lib/action_dispatch/middleware/request_id.rb:27:in `call'\nrack (2.2.3) lib/rack/method_override.rb:24:in `call'\nrack (2.2.3) lib/rack/runtime.rb:22:in `call'\nactivesupport (5.2.6) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'\nactionpack (5.2.6) lib/action_dispatch/middleware/executor.rb:14:in `call'\nrack (2.2.3) lib/rack/sendfile.rb:110:in `call'\nrailties (5.2.6) lib/rails/engine.rb:524:in `call'\n/opt/rh/ondemand/root/usr/share/ruby/vendor_ruby/phusion_passenger/rack/thread_handler_extension.rb:107:in `process_request'\n/opt/rh/ondemand/root/usr/share/ruby/vendor_ruby/phusion_passenger/request_handler/thread_handler.rb:157:in `accept_and_process_next_request'\n/opt/rh/ondemand/root/usr/share/ruby/vendor_ruby/phusion_passenger/request_handler/thread_handler.rb:110:in `main_loop'\n/opt/rh/ondemand/root/usr/share/ruby/vendor_ruby/phusion_passenger/request_handler.rb:416:in `block (3 levels) in start_threads'\n/opt/rh/ondemand/root/usr/share/ruby/vendor_ruby/phusion_passenger/utils.rb:113:in `block in create_thread_and_abort_on_exception'" ``` Any idea what's causing this ? I have this exact same installation with ondemand-1.8.20 and it's working fine.

I don’t have this but I know for sure you should install the packages in the container (dep or rpm). Building OOD from the source in the container is discouraged.

ashokr · October 28, 2022, 7:45pm

@dtenenba We are currently using OOD in docker at Brown. We do have an external facing VM that NFS mounts our HPC file systems including slurm on the container and then we run munge and nis within the container for authentication to slurm. Essentially, we recreated the VM in a container with system services including NIS and munge to ensure that we can correctly authenticate users. Our main system is also running shib for campus-wide login. Our docker repos are private to maintain sensitive info, but will be happy to share our Dockerfile with you.

ashokr · October 28, 2022, 7:48pm

@dtenenba I also will be happy to hop on a zoom call sometime to walk through our setup if that’s more helpful. There are some specifics related to how the over system is setup with the organization and hopefully I can help with untangling some of them

Topic		Replies	Views
Getting started - non RedHat shop - Docker? Get Help question	15	478	November 2, 2022
Open OnDemand is currently offline for maintenance after stoping and starting docker container Get Help question	8	1284	November 2, 2022
Setup OpenOndemand in AWS ParallelCluster Get Help question	2	709	May 26, 2022
Issue Getting Jobs to Submit to the Slurm Cluster via OnDemand (RHEL 8.6, OnDemand 2.0.27) Get Help ondemand2 , question	12	1096	January 4, 2023
Run OOD in WSL on a Win10 VDI? Get Help	10	311	May 4, 2025

Running Open OnDemand in a Docker Swarm

Related topics