https://wiki.bwhpc.de/wiki/index.php?action=history&feed=atom&title=NEMO2%2FContainers%2FEnrootNEMO2/Containers/Enroot - Revision history2026-05-08T13:16:00ZRevision history for this page on the wikiMediaWiki 1.39.17https://wiki.bwhpc.de/wiki/index.php?title=NEMO2/Containers/Enroot&diff=16050&oldid=prevM Janczyk: Created page with "'''Enroot''' is a container runtime developed by NVIDIA that runs OCI/Docker containers without root privileges. On NEMO it is the '''recommended''' container solution and is integrated with Slurm via the '''Pyxis''' SPANK plugin. == How it works == Enroot converts a Docker image into a SquashFS file (<tt>.sqsh</tt>), unpacks it on demand into an overlay filesystem, and runs your workload inside that environment. The Pyxis plugin adds <tt>--container-*</tt> options to..."2026-05-07T17:05:11Z<p>Created page with "'''Enroot''' is a container runtime developed by NVIDIA that runs OCI/Docker containers without root privileges. On NEMO it is the '''recommended''' container solution and is integrated with Slurm via the '''Pyxis''' SPANK plugin. == How it works == Enroot converts a Docker image into a SquashFS file (<tt>.sqsh</tt>), unpacks it on demand into an overlay filesystem, and runs your workload inside that environment. The Pyxis plugin adds <tt>--container-*</tt> options to..."</p>
<p><b>New page</b></p><div>'''Enroot''' is a container runtime developed by NVIDIA that runs OCI/Docker containers without root privileges.<br />
On NEMO it is the '''recommended''' container solution and is integrated with Slurm via the '''Pyxis''' SPANK plugin.<br />
<br />
== How it works ==<br />
<br />
Enroot converts a Docker image into a SquashFS file (<tt>.sqsh</tt>), unpacks it on demand into an overlay filesystem, and runs your workload inside that environment.<br />
The Pyxis plugin adds <tt>--container-*</tt> options to <tt>srun</tt>/<tt>salloc</tt>/<tt>sbatch</tt> so containers become first-class Slurm jobs.<br />
<br />
== Default mounts ==<br />
<br />
The following paths are '''automatically mounted''' into every container when launched via Slurm/Pyxis:<br />
<br />
{| class="wikitable"<br />
|-<br />
! Host path !! Notes<br />
|-<br />
| <tt>/home</tt> || all home directories, read-write<br />
|-<br />
| <tt>/work</tt> || all workspace filesystems, read-write<br />
|-<br />
| <tt>/etc/slurm</tt> || Slurm configuration (read-only)<br />
|-<br />
| <tt>/usr/lib64/slurm</tt> || Slurm plug-in libraries (read-only)<br />
|}<br />
<br />
You do '''not''' need to pass <tt>--container-mount-home</tt> or <tt>--container-mounts=/work</tt> manually — they are already there.<br />
The paths inside the container are '''identical''' to the paths on the host system, so scripts and config files referencing <tt>$HOME</tt> or workspace paths work without modification.<br />
<br />
Note that <tt>ws_*</tt> tools (e.g. <tt>ws_find</tt>, <tt>ws_list</tt>) are '''not available inside the container'''.<br />
Determine your workspace path on the login node before submitting the job and pass it as an environment variable or hard-code it in your script.<br />
<br />
== Container image storage ==<br />
<br />
Unpacked container images are stored in:<br />
<br />
<pre><br />
~/.local/share/enroot/<br />
</pre><br />
<br />
Images are SquashFS files and can be several GB.<br />
To avoid filling your home quota, store images in a [[Workspaces|workspace]] and symlink the default path:<br />
<br />
<pre><br />
# create a workspace (100 days)<br />
ws_allocate enroot 100<br />
<br />
# replace the default enroot directory with a symlink to the workspace<br />
mkdir -p ~/.local/share<br />
ln -s $(ws_find enroot) ~/.local/share/enroot<br />
</pre><br />
<br />
Enroot (and Pyxis) will now transparently use the workspace path for all image storage.<br />
<br />
== Usage without Slurm (interactive) ==<br />
<br />
=== Import an image ===<br />
<br />
<pre><br />
# from Docker Hub<br />
enroot import docker://ubuntu:24.04<br />
<br />
# from quay.io<br />
enroot import docker://quay.io#rockylinux/rockylinux:9<br />
<br />
# from NVIDIA NGC<br />
enroot import docker://nvcr.io#nvidia/pytorch:24.01-py3<br />
</pre><br />
<br />
This creates a <tt>.sqsh</tt> file in the current directory.<br />
<br />
=== Create a container ===<br />
<br />
The container name must be prefixed with <tt>pyxis_</tt> for Slurm/Pyxis to find it later (omit the prefix when passing <tt>--container-name</tt> to Slurm).<br />
<br />
<pre><br />
enroot create --name pyxis_ubuntu ubuntu+24.04.sqsh<br />
</pre><br />
<br />
=== Start a container ===<br />
<br />
<pre><br />
# interactive shell, read-write<br />
enroot start --rw pyxis_ubuntu bash<br />
<br />
# get root inside the container (to install packages)<br />
enroot start --root --rw pyxis_ubuntu bash<br />
<br />
# mount an extra directory (e.g. from outside /home and /work)<br />
enroot start --rw -m /tmp/mydata:/data pyxis_ubuntu bash<br />
</pre><br />
<br />
=== List and remove containers ===<br />
<br />
<pre><br />
enroot list --fancy<br />
enroot remove pyxis_ubuntu<br />
</pre><br />
<br />
== Usage via Slurm / Pyxis ==<br />
<br />
=== Interactive allocation ===<br />
<br />
<pre><br />
# use an already-created container<br />
salloc -p cpu --container-name=ubuntu<br />
<br />
# pull, create and start in one step (container is created under ~/.local/share/enroot/)<br />
salloc -p cpu --container-image=ubuntu:24.04 --container-name=ubuntu<br />
salloc -p cpu --container-image="quay.io#rockylinux/rockylinux:9" --container-name=rocky<br />
salloc -p l40s --gres=gpu:1 --container-image="nvcr.io#nvidia/pytorch:24.01-py3" --container-name=pytorch<br />
<br />
# start with a specific working directory inside the container<br />
# $(ws_find enroot) is evaluated on the login node before the job starts<br />
salloc -p cpu --container-name=ubuntu --container-workdir=$(ws_find enroot)<br />
</pre><br />
<br />
=== Batch job ===<br />
<br />
<pre lang="bash"><br />
#!/bin/bash<br />
#SBATCH -p cpu<br />
#SBATCH --container-name=ubuntu<br />
<br />
python3 /work/classic/myWs/train.py<br />
</pre><br />
<br />
=== Useful Pyxis options ===<br />
<br />
All options are listed in <tt>srun --help</tt> under ''Options provided by plugins''.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Option !! Effect<br />
|-<br />
| <tt>--container-name=NAME</tt> || Use existing enroot container (omit the <tt>pyxis_</tt> prefix)<br />
|-<br />
| <tt>--container-image=IMAGE</tt> || Pull image from registry and create container on the fly<br />
|-<br />
| <tt>--container-mount-home</tt> || Mount <tt>$HOME</tt> into container (already in defaults, but explicit flag also works)<br />
|-<br />
| <tt>--container-mounts=SRC:DST[,…]</tt> || Bind-mount additional paths<br />
|-<br />
| <tt>--container-writable</tt> || Make the container overlay writable<br />
|-<br />
| <tt>--container-remap-root</tt> || Become root inside the container (no real root on host)<br />
|-<br />
| <tt>--container-workdir=PATH</tt> || Set the working directory inside the container<br />
|}<br />
<br />
== GPU access ==<br />
<br />
GPU passthrough is '''automatic''' — no extra flags are needed.<br />
Enroot/Pyxis detect the allocated GPUs via Slurm's GRES mechanism and make them available inside the container.<br />
<br />
<pre><br />
salloc -p l40s --gres=gpu:1 --container-name=pytorch<br />
# nvidia-smi works inside the container out of the box<br />
</pre><br />
<br />
== Tips ==<br />
<br />
* Install extra packages interactively with <tt>enroot start --root --rw</tt> before submitting batch jobs.<br />
* Use <tt>--container-writable</tt> in batch jobs only if your script modifies the container filesystem; otherwise the default overlay is discarded after the job anyway.<br />
* Store large datasets in workspaces (<tt>/work</tt>), not in <tt>$HOME</tt>, to avoid filling your home quota with data files.</div>M Janczyk