|
| 1 | +# Running a Task Inside a Docker Container |
| 2 | + |
| 3 | +> ⚠️ **Warning** |
| 4 | +> This method is **not intended for production use**. |
| 5 | +> It serves only as a **proof of concept** for testing Docker images as part of an existing pipeline. |
| 6 | +> |
| 7 | +> Currently, it has been tested with the `alma9-flp-node` image running the *readout* component. |
| 8 | +
|
| 9 | +--- |
| 10 | + |
| 11 | +## How To |
| 12 | + |
| 13 | +### 1. Manual Setup |
| 14 | + |
| 15 | +Before running tasks in Docker, ensure that the host machine has Docker installed. |
| 16 | +At the time of writing, Docker must be installed **manually**. |
| 17 | + |
| 18 | +> ⚠️ **Security Note** |
| 19 | +> The `flp` user must be able to run `sudo` **without a password**, because Docker requires root privileges because of inter process communication requirements |
| 20 | +> |
| 21 | +> This setup is **potentially unsafe** for production systems. There exists rootless mode in Podman (alias for Docker at RHEL) which might solve safety |
| 22 | +> issues. However, we were not able to make this work for more than one container because of ipc requirements. |
| 23 | +
|
| 24 | +Run the following commands as `root` to add `flp` user to sudoers: |
| 25 | + |
| 26 | +```bash |
| 27 | +usermod -aG wheel flp |
| 28 | +echo '%wheel ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/90-wheel-nopasswd |
| 29 | +``` |
| 30 | + |
| 31 | +--- |
| 32 | + |
| 33 | +### 2. Modifying ControlWorkflows |
| 34 | + |
| 35 | +To run a task inside a Docker container on the executor, wrap the binary call in a `docker run` command within the [ControlWorkflows](https://github.com/AliceO2Group/ControlWorkflows) repository. |
| 36 | + |
| 37 | +For example, to run readout, modify the `_plain_command` section of [`readout.yaml`](https://github.com/AliceO2Group/ControlWorkflows/blob/master/tasks/readout.yaml) by adding a Docker command. |
| 38 | + |
| 39 | +> 🧩 **Note** |
| 40 | +> You must already have a Docker image that includes the required binary and configuration. |
| 41 | +> (Creating such an image is outside the scope of this document.) |
| 42 | +
|
| 43 | +#### Example Command |
| 44 | + |
| 45 | +When running readout, we successfully used the following command inside the `alma9-flp-node` image: |
| 46 | + |
| 47 | +```bash |
| 48 | +sudo /usr/bin/docker run --name readout --replace \ |
| 49 | + --user "$(id -u flp):$(id -u flp)" \ |
| 50 | + --network=host --ipc=host \ |
| 51 | + -e O2_DETECTOR -e O2_PARTITION -e OCC_CONTROL_PORT \ |
| 52 | + -e O2_SYSTEM -e O2_ROLE \ |
| 53 | + gitlab-registry.cern.ch/aliceo2group/dockerfiles/alma9-flp-node:2 \ |
| 54 | + /opt/o2/bin/o2-readout-exe |
| 55 | +``` |
| 56 | + |
| 57 | +> 🧩 **Note** |
| 58 | +> We are not claiming that this is the most efficient way how to run this image, just that it works. |
| 59 | +
|
| 60 | +#### Environment Variables |
| 61 | + |
| 62 | +To identify all required environment variables: |
| 63 | + |
| 64 | +1. Open the **ECS GUI**. |
| 65 | +2. Go to the **Environment Details** page for the relevant task. |
| 66 | +3. Review the variables defined there — these match those used when running the binary outside Docker. |
| 67 | + |
| 68 | +#### Shared Memory Communication |
| 69 | + |
| 70 | +To enable shared memory communication between processes, add the `--ipc=host` flag when running the container. |
| 71 | +However, doing so requires **elevated privileges**. |
| 72 | + |
| 73 | +While **Podman** can run without root privileges, it pauses other Podman processes for the same user. |
| 74 | +This means commands like `podman ps -a` or starting multiple containers in parallel will not work. |
| 75 | + |
| 76 | +Therefore, you should run containers using the same user as the rest of the pipeline: |
| 77 | + |
| 78 | +```bash |
| 79 | +--user "$(id -u flp):$(id -u flp)" |
| 80 | +``` |
| 81 | + |
| 82 | +This ensures shared memory segments are created under the same user context. |
| 83 | + |
| 84 | +--- |
| 85 | + |
| 86 | +## Tips and Tricks |
| 87 | + |
| 88 | +* Production systems running RHEL do not install native Docker via: |
| 89 | + |
| 90 | + ```bash |
| 91 | + dnf install docker |
| 92 | + ``` |
| 93 | + |
| 94 | + Instead, they use **Podman**, which emulates Docker’s behavior but may differ in certain aspects. |
| 95 | + |
| 96 | +* To check whether ECS has started a container, run: |
| 97 | + |
| 98 | + ```bash |
| 99 | + docker ps -a |
| 100 | + ``` |
| 101 | + |
| 102 | + This lists all containers that have run (or are currently running) under the current user. |
| 103 | + |
| 104 | + > ECS typically runs as the `flp` user, so to inspect its containers, switch users first: |
| 105 | + > |
| 106 | + > ```bash |
| 107 | + > su - flp |
| 108 | + > ``` |
| 109 | +
|
| 110 | +* To view container logs directly from Docker: |
| 111 | +
|
| 112 | + ```bash |
| 113 | + docker logs <container-id|name> |
| 114 | + ``` |
| 115 | +
|
| 116 | +--- |
0 commit comments