Singularity (https://github.com/sylabs/singularity) is designed as a container solution for high performance computing (HPC) and is currently one of the most popular container implementation used on many HPC platforms. In this article, I discuss why everyone should use signed images and how signed base images for the arm64 architecture can be used when creating your own Singularity containers.
Using base images is always a good idea: instead of creating a new image with a low-level method such as debootstrap or yum, which consumes a lot of bandwidth and takes quite a bit of time, you can use pre-made base images for your favorite Linux distribution. By doing so, the base image is automatically downloaded by Singularity during the build, and more importantly, the image is cached by Singularity, meaning that if you build several images, you will not need to download a huge amount of data for every single build.
But using images created by others can also lead to problems. If you follow the news, I am sure you saw that popular container services include images that should not be used by anyone because unsafe. One good approach to avoid that problem is to only use signed images from a trusted source: the image is cryptographically signed by Singularity when created, the public key stored in the Sylabs cloud service and when building new images, Singularity actually checks that everything is trusted based on the key in your local keyring. In other words, this allows anyone to create a chain-of-trust and ensure that all the pieces involved in the creation or execution of a container are trusted.
For these reasons, a few base images for the arm64 architecture is now available for some of the most popular Linux distributions. The fingerprint of public key used to sign these images is 9D56FA7CAFB4A37729751B8A21749D0D6447B268. A few examples show how to use that key to create a new container later in this article.
At the moment, instead of a Arm email, a personal email address is used to sign the base images: because of the way the Sylabs cloud service is structured, it is not immediately easy to create an official space for Arm so the images are signed and published under my name and email.
All images are there: https://cloud.sylabs.io/library/geoffroy.vallee.
For example, Ubuntu images are there: https://cloud.sylabs.io/library/geoffroy.vallee/ubuntu/.
The ultimate goal is to automatically generate base images every week for all major Linux distributions and for each Linux distribution, for all currently supported versions.
Using the signed images requires two steps: a one-time step to import the public key used to signed the images into your local Singularity keyring; and one command to create a new container using a definition file referring to the signed base image.
To get the public key used to sign the image, execute the following command:
$ singularity key pull 9D56FA7CAFB4A37729751B8A21749D0D6447B268
Then, to create a new container based on a signed base image, simply include the following in your definition file, updating the name and version of the Linux distribution you want to use (here I use Ubuntu 19.10 for illustration).
$ cat /tmp/ubuntu.def
$ cat /tmp/ubuntu.def
Finally, build your Singularity image.
$ singularity build /tmp/test_ubuntu.sif /tmp/ubuntu.def
If you look at the details, you will notice that my gmail email is used for the key, not my Arm email. As mentioned before, this is due to the fact that the current cloud service provided by Sylabs only supports a limited set of authentication methods that do not let me use my professional email address. We will address this problem if and when Sylabs later provide a way to log in the service with a dedicated email address.
Sylabs cloud library: https://sylabs.io/guides/3.5/user-guide/cloud_library.html.
Create, run and manage your MPI containers in a few steps: https://sylabs.io/articles/2019/11/create-run-and-manage-your-mpi-containers-in-a-few-steps.