10  Working with containers

10.1 Visual Table of Contents

flowchart TD
   B["Open Shell in Container\n(with Bindpaths)"]
   B --> D[Test Scripts in container]
   D --> E[Exit Container]

10.2 Opening Shells in Containers for Testing

In this section, we talk about testing scripts in a container using apptainer. We use apptainer (formerly Singularity) in order to run Docker containers on a shared HPC system. This is because Docker itself requires root-level privileges, which is not secure on shared systems.

In order to do our testing, we’ll first pull the Docker container, map our bind point (so our container can access files outside of its file system), and then run scripts in the container.

Even if you aren’t going to frequently use Apptainer in your work, I recommend trying an interactive shell in a container at least once or twice to learn about the container filesystem and conceptually understand how you connect it to the external filesystem.

10.2.1 Pulling a Docker Container

Let’s pull a docker container from the Docker registry. Note we have to specify docker:// when we pull the container, because Apptainer has its own internal format called SIF.

apptainer pull docker://biocontainers/samtools:v1.9-4-deb_cv1

10.3 Opening a Shell in a Container with apptainer shell

When you’re getting started, opening a shell using Apptainer can help you test out things like filepaths and how they’re accessed in the container. It’s hard to get an intuition for how file I/O works with containers until you can see the limited view from the container.

By default, apptainers can see your current directory and navigate to the files in it.

You can open an Apptainer shell in a container using apptainer shell. Remember to use docker:// before the container name. For example:

module load Apptainer/1.1.6
apptainer shell docker://biocontainers/samtools:v1.9-4-deb_cv1

This will load the apptainer module, and then open a Bash shell in the container using apptainer shell. Once you’re in the container, you can test code, especially seeing whether your files can be seen by the container (see Section 10.4). 90% of the issues with using Docker containers has to do with bind paths, so we’ll talk about that next.

Once you’re in the shell, you can take a look at where samtools is installed:

which samtools

Note that the container filesystem is isolated, and we need to explicitly build connections to it (called bind paths) to get files in and out. We’ll talk more about this in the next section.

Once we’re done testing scripts in our containers, we can exit the shell and get back into the node.

exit
Opening a Shell in a Docker Container with Docker

For the most part, due to security reasons, we don’t use docker on HPC systems. In short, the docker group essentially has root-level access to the machine, and it’s not a good for security on a shared resource like an HPC. However, if you have admin level access (for example, on your own laptop), you can open up an interactive shell with docker run:

docker run -it biocontainers/samtools:v1.9-4-deb_cv1 /bin/bash

This will open a bash shell much like apptainer shell. Note that volumes (the docker equivalent of bind paths) are specified differently in Docker compared to Apptainer.

10.4 Testing out bind paths in containers

One thing to keep in mind is that every container has its own filesystem. One of the hardest things to wrap your head around for containers is how their filesystems work, and how to access files that are outside of the container filesystem. We’ll call any filesystems outside of the container external filesystems to make the discussion a little easier.

By default, the containers have access to your current working directory. We could make this where our scripts live (such as /home/tladera2/), but because our data is elsewhere, we’ll need to specify that location (/fh/fast/mylab/) as well.

The main mechanism we have in Apptainer to access the external filesystem are bind paths. Much like mounting a drive, we can bind directories from the external filesystem using these bind points.

flowchart LR
   B["External Directory\n/fh/fast/mydata/"] 
   B --read--> C
   C --write--> B
   A["Container Filesystem\n/mydata/"]--write-->C("--bind /fh/fast/mydata/:/mydata/")
   C --read--> A

I think of bind paths as “tunnels” that give access to particular folders in the external filesystem. Once the tunnel is open, we can access data files, process them, and save them using the bind path.

Say my data lives in /fh/fast/mydata/. Then I can specify a bind point in my apptainer shell and apptainer run commands.

We can do this with the --bind option:

apptainer shell --bind /fh/fast/mydata:/mydata docker://biocontainers/samtools:v1.9-4-deb_cv1

Note that the bind syntax doesn’t have the trailing slash (/). That is, note that it is:

--bind /fh/fast/mydata: ....

Rather than

--bind /fh/fast/mydata/: ....

Now our /fh/fast/mydata/ folder will be available as /mydata/ in my container. We can read and write files to this bind point. For example, I’d refer to the .bam file /fh/fast/mydata/my_bam_file.bam as:

samtools view -c /mydata/my_bam_file.bam
WDL makes this way easier

A major point of failure with Apptainer scripting is when our scripts aren’t using the right bind paths.

This is one reason we recommend writing WDL Workflows and a workflow engine (such as Cromwell) to run your workflows. You don’t have to worry that your bind points are setup correctly, because they are handled by the workflow engine.

10.4.1 Testing in the Apptainer Shell

Ok, now we have a bind point, so now we can test our script in the shell. For example, we can see if we are invoking samtools in the correct way and that our bind points work.

samtools view -c /mydata/my_bam_file.bam > /mydata/bam_counts.txt

Again, trying out scripts in the container is the best way to understand what the container can and can’t see.

10.4.2 Exiting the container when you’re done

You can exit, like any shell you open. You should be out of the container. Confirm by using hostname to make sure you’re out of the container.

10.5 Testing outside of the container

Let’s take everything that we learned and put it in a script that we can run on the HPC:

# Script to samtools view -c an input file:
# Usage: ./run_sam.sh <my_bam_file.bam>
# Outputs a count file: my_bam_file.bam.counts.txt
#!/bin/bash
module load Apptainer/1.1.6
apptainer run --bind /fh/fast/mydata:/mydata docker://biocontainers/samtools:v1.9-4-deb_cv1 samtools view -c /mydata/$1 > /mydata/$1.counts.txt
#apptainer cache clean
module purge

We can use this script by the following command:

./run_sam.sh chr1.bam

And it will output a file called chr1.bam.counts.txt.

10.6 Apptainer Cache

The apptainer cache is where your docker images live. They are translated to the native apptainer .sif format.

You can see what’s in your cache by using

apptainer cache list

By default the cache lives at ~/.apptainer/cache.

If you need to clear out the cache, you can run

apptainer cache clean

to clear out the cache.

There are a number of environment variables (Section 4.4) that can be set, including login tokens for pulling from a private registry. More information is here.

10.7 Entrypoints

You can think of an entrypoint as a way of automatically starting something up in your container when you run it. For example, if you have a web stack container, one of the things you want to start is a web server when you start running it.

The main reason to be aware of entrypoints is when they exist in a Dockerfile. It is important to know what is started when you start running a container.

10.8 More Info

10.9 What Next?

You’ve learned how to open interactive shells in both a remote node and in a container. There are a number of ways to go from here:

  • Integrate containers into your scripts
  • Customize your containers using Dockerfiles