IBM Spectrum LSF with Docker
Configure and use LSF to run jobs in Docker containers on demand. LSF manages the entire lifecycle of jobs that run in the container as common jobs.
LSF provides the following benefits when using Docker containers:
Resolves Docker security concerns
The most serious security concern with Docker is its privilege escalation in a container. A user that starts a Docker container can be root within that container. LSF takes over permission management for docker containers, ensuring that jobs are launched within the container and only has permissions of the execution user.
LSF also enables administrators to configure Docker images and runtime options in an application profile. Administrators have full control of the images, including the register from where the image originated, the configured image name, and the image version to be used. LSF forbids common cluster users from using arbitrary images to avoid potential security risks.
Schedules Docker jobs on Docker hosts
LSF uses a boolean resource named docker to identify a host in which the Docker service is started. LSF automatically attaches the docker boolean resource to Docker jobs and schedules Docker jobs to hosts with Docker available.
Automatically sets the Docker runtime environment
Before an LSF job starts on the execution host, LSF sets the execution context similar to the submission environment and settings. This includes current environment variables, CPU affinity, process limits, and the execution user. In Docker environments, LSF automatically sets the job execution context in the container.
Launches containers for parallel jobs
A parallel job might have several ranks across hosts. For container parallel jobs, LSF launches a container on each host for tasks. The task container has the same execution environment settings as the job container. LSF ensures that the MPI environment that is used for the job is packed in the image. Therefore, there are no dependencies on the host MPI environment.
Supports official cgroup drivers
Docker supports both cgroupfs and systemd cgroup drivers to manage container resources with Linux control groups. Docker uses cgroupfs by default, but RHEL releases now use systemd as the default cgroup driver. LSF supports both cgroups with execution driver scripts.
Uses GPUs for application acceleration
When submitting a Docker job with GPU resource requirements, LSF schedules GPUs for such jobs. LSF schedules the jobs with GPUs allocated and dispatched onto the Docker host. While the Docker container is starting up, LSF uses the nvidia-docker runtime to start the container with the allocated GPU attached.