https://wiki.gacrc.uga.edu/api.php?action=feedcontributions&feedformat=atom&user=KrisResearch Computing Center Wiki - User contributions [en]2026-05-13T03:48:18ZUser contributionsMediaWiki 1.39.7https://wiki.gacrc.uga.edu/index.php?title=Podman&diff=22984Podman2026-05-06T21:01:33Z<p>Kris: Add Podman page!</p>
<hr />
<div>Podman is available on Sapelo2 for researchers who need to run software distributed as [https://opencontainers.org/ OCI container images]. It can be useful when a project already provides a standard container image or when a workflow expects familiar Docker-style commands. [https://developers.redhat.com/blog/2020/09/25/rootless-containers-with-podman-the-basics Podman is provided in a rootless configuration] and behaves differently from a typical workstation or server installation. In particular, image storage and some runtime features are constrained by the cluster's file system and stateless node environment. This guide explains the main differences, why they exist, and the practical limitations users should expect when running Podman on compute nodes.<br />
<br />
== Podman in Slurm jobs ==<br />
Podman depends on <code>XDG_RUNTIME_DIR</code> (typically <code>/run/user/$UID</code>) for rootless operation. On Sapelo2, Slurm jobs are not associated with a user systemd session, so this directory is '''not created automatically'''.<br />
<br />
As a result, Podman will fail in Slurm jobs unless a user session is created. Here is an example error from an interactive job:<syntaxhighlight lang="shell-session"><br />
Failed to obtain podman configuration: lstat /run/user/1337: no such file or directory<br />
</syntaxhighlight><br />
<br />
=== Workaround ===<br />
'''''Important:''' Podman will not work in Slurm jobs unless this step is performed.''<br />
<br />
Before running any Podman commands inside a Slurm job, start a background SSH session to localhost<syntaxhighlight lang="shell-session"><br />
ssh -N localhost >/dev/null 2>&1 &<br />
</syntaxhighlight>This creates a user session in the background and initializes <code>/run/user/$UID</code><br />
This workaround '''requires passwordless SSH access''' to your own account. You must have<br />
<br />
* An SSH keypair in <code>~/.ssh/</code><br />
<br />
* Your public key added to <code>~/.ssh/authorized_keys</code><br />
<br />
Test with:<syntaxhighlight lang="shell-session"><br />
ssh localhost<br />
</syntaxhighlight>'''This should not prompt for a password.'''<br />
<br />
This works because SSH creates a PAM/systemd user session, which initializes <code>/run/user/$UID</code>. The session remains active as long as the SSH process is running.<br />
<br />
Because the SSH process runs in the background of the job, ''it is automatically cleaned up when the job exits''.<br />
<br />
==Filesystem limitations==<br />
On Sapelo2, Podman images are effectively '''node-local''', not cluster-global like <code>/apps</code>. Rootless Podman normally expects local filesystem behavior for its image storage, but NFS-backed <code>/home</code> and Lustre-backed <code>/scratch</code> do not provide that behavior. As a result, Podman is configured to use local scratch storage on the compute node where the image is pulled or loaded.<br />
<br />
In practice, this means an image you pull on one compute node will not automatically be available on another. Researchers should expect to pull or load images again when moving between nodes.<br />
<br />
===Transporting images with <code>podman save</code> and <code>podman load</code>===<br />
A practical workaround is to save an image as a tar archive on shared storage, then load it into Podman on the node where you want to run it. While this does not make images globally shared, it does make them quicker to move between nodes without re-downloading from a registry on each node.<syntaxhighlight lang="shell-session"><br />
podman pull ubuntu<br />
podman save -o ubuntu.tar ubuntu<br />
podman load -i ubuntu.tar<br />
</syntaxhighlight><br />
<br />
==NVIDIA Container Toolkit==<br />
The NVIDIA Container Toolkit is the layer that enables Podman to expose NVIDIA GPUs inside containers. A major feature of the toolkit is CDI, the Container Device Interface. CDI lets containers request GPUs using stable, predictable names such as <code>nvidia.com/gpu=0</code>, <code>nvidia.com/gpu=1</code>, or even <code>nvidia.com/gpu=all</code>. On a heterogeneous cluster, where GPU types and counts may differ across nodes, this is much simpler than manually listing <code>/dev/nvidia*</code> devices and host library mounts for each container.<br />
<br />
A typical CDI-based Podman command looks like this:<syntaxhighlight lang="shell-session"><br />
podman run --rm --device nvidia.com/gpu=all ubuntu nvidia-smi<br />
</syntaxhighlight><br />
<br />
===CUDA validation example===<br />
A practical way to check that CUDA is working inside a container is to run a small PyTorch test rather than relying only on GPU enumeration. In this example, PyTorch reports that CUDA is available, allocates a tensor, and runs a simple arithmetic operation.<br />
<br />
'''''Note:''' Due to a known issue with the NVIDIA CDI <code>update-ldcache</code> hook on Sapelo2 (see below), this example includes a manual bind mount of <code>libcuda.so.1</code>, which would not normally be required.''<syntaxhighlight lang="shell-session"><br />
$ podman run --rm -it \<br />
--device nvidia.com/gpu=all \<br />
-v /usr/lib64/libcuda.so.1:/usr/lib/x86_64-linux-gnu/libcuda.so.1:ro \<br />
docker.io/pytorch/pytorch:2.9.0-cuda12.8-cudnn9-runtime \<br />
python3<br />
Trying to pull docker.io/pytorch/pytorch:2.9.0-cuda12.8-cudnn9-runtime...<br />
[output truncated]<br />
Writing manifest to image destination<br />
Python 3.11.14 | packaged by conda-forge | (main, Oct 13 2025, 14:09:32) [GCC 14.3.0] on linux<br />
Type "help", "copyright", "credits" or "license" for more information.<br />
>>> import torch<br />
>>> torch.cuda.is_available()<br />
True<br />
>>> (torch.tensor([1.0], device="cuda") * 2).item()<br />
2.0<br />
>>> torch.cuda.get_device_name(0)<br />
'NVIDIA L4'<br />
>>> quit()<br />
$ <br />
<br />
</syntaxhighlight><br />
<br />
=== Known Issues ===<br />
<br />
==== Broken <code>update-ldcache</code> OCI hook ====<br />
The specific hook causing trouble is the NVIDIA CDI <code>update-ldcache</code> hook. In the generated CDI configuration, that hook appears as a <code>createContainer</code> hook that invokes <code>/usr/bin/nvidia-cdi-hook</code> with the <code>update-ldcache</code> argument. When Podman tries to start a container with CDI enabled, this hook can fail preventing container startup. The <code>update-ldcache</code> hook is meant to help make host NVIDIA libraries visible inside the container by updating the dynamic linker cache path used by the containerized environment. In a more typical setup, this helps ensure that GPU-related executables inside the container can locate the right shared libraries without extra manual bind mounts. When the <code>update-ldcache</code> hook fails, CDI may still identify the GPUs correctly, but the automatic library setup path is incomplete. In practice, that means users may need to manually bind-mount some host libraries or utilities into the container instead of relying on the hook to make everything available automatically. <br />
<br />
Due to the issues, the <code>update-ldcache</code> OCI hook has been disabled in CDI. While this avoids container startup failures, it also bypasses the mechanism that updates the container’s dynamic linker cache with host NVIDIA library paths. Consequently, GPU-related libraries may not be discovered automatically inside the container, requiring some manual bind mounts or environment configuration to ensure proper runtime behavior.<br />
<br />
This effect is clearly seen in the CUDA validation example above, where <code>libcuda.so.1</code> is explicitly bind-mounted (<code>-v /usr/lib64/libcuda.so.1:/usr/lib/x86_64-linux-gnu/libcuda.so.1:ro</code>) despite CDI being enabled via <code>--device nvidia.com/gpu=all</code></div>Kris