MCPcopy
hub / github.com/indigo-dc/udocker

github.com/indigo-dc/udocker @1.3.17 sqlite

repository ↗ · DeepWiki ↗ · release 1.3.17 ↗
1,489 symbols 6,032 edges 85 files 1,031 documented · 69%
README

PyPI version Build Status

SQAaaS badge


logo

udocker is a basic user tool to execute simple docker containers in user space without requiring root privileges. Enables download and execution of docker containers by non-privileged users in Linux systems where docker is not available. It can be used to pull and execute docker containers in Linux batch systems and interactive clusters that are managed by other entities such as grid infrastructures or externally managed batch or interactive systems.

udocker does not require any type of privileges nor the deployment of services by system administrators. It can be downloaded and executed entirely by the end user. The limited root functionality provided by some of the udocker execution modes is either simulated or provided via user namespaces.

udocker is a wrapper around several tools and libraries to mimic a subset of the docker capabilities including pulling images and running containers with minimal functionality.

Important notice: We have changed the udocker tools location as of udocker 1.3.17. This affects the configuration option conf['tarball'] and environment variable UDOCKER_TARBALL, so if you are using udocker <= 1.3.16, make sure to: export UDOCKER_TARBALL=https://download.a.incd.pt/udocker/udocker-englib-1.2.11.tar.gz.

Documentation

The full documentation is available at:

How does it work

udocker is written in Python, it has a minimal set of dependencies so that can be executed in a wide range of Linux systems.

udocker does not make use of docker nor requires its presence.

udocker "executes" the containers by simply providing a chroot like environment over the extracted container. The current implementation supports different methods to mimic chroot thus enabling execution of containers under a chroot like environment without requiring privileges. udocker transparently supports several methods to execute the containers based on external tools and libraries such as:

  • PRoot
  • Fakechroot
  • runc
  • crun
  • Singularity

With the exception of Singularity the tools and libraries to support execution are downloaded and deployed by udocker during the installation process. This installation is performed in the user home directory and does not require privileges. The udocker related files such as libraries, executables, documentation, licenses, container images and extracted directory trees are placed by default under $HOME/.udocker.

Advantages

  • Can be deployed by the end-user
  • Does not require privileges for installation
  • Does not require privileges for execution
  • Does not require compilation, just transfer the Python code
  • Encapsulates several tools and execution methods
  • Includes the required tools already statically compiled to work across systems
  • Provides a docker like command line interface
  • Supports a subset of docker commands: search, pull, import, export, load, save, login, logout, create and run
  • Understands docker container metadata
  • Allows loading of docker and OCI containers
  • Supports NVIDIA GPGPU applications
  • Can execute in systems and environments where Linux namespaces support is unavailable
  • Runs both on new and older Linux distributions including: CentOS 6, CentOS 7, CentOS 8, Ubuntu 14, Ubuntu 16, Ubuntu 18, Ubuntu 20, Ubuntu 21, Alpine, Fedora, etc

Python 2 and Python 3

Since v1.3.0, udocker supports Python 2.7 and Python >= 3.6. The original udocker v1.1.x for Python 2 is no longer maintained but is still available here.

Syntax

        Commands:
          search <repo/expression>      :Search dockerhub for container images
          pull <repo/image:tag>         :Pull container image from dockerhub
          create <repo/image:tag>       :Create container from a pulled image
          run <container>               :Execute container
          run <repo/image:tag>          :Pull, create and execute container

          images -l                     :List container images
          ps -m -s                      :List created containers
          name <container_id> <name>    :Give name to container
          rmname <name>                 :Delete name from container
          rename <name> <new_name>      :Change container name
          clone <container_id>          :Duplicate container
          rm <container-id>             :Delete container
          rmi <repo/image:tag>          :Delete image
          tag <repo/image:tag> <repo2/image2:tag2> :Tag image

          import <tar> <repo/image:tag> :Import tar file (exported by docker)
          import - <repo/image:tag>     :Import from stdin (exported by docker)
          export -o <tar> <container>   :Export container directory tree
          export - <container>          :Export container directory tree
          load -i <imagefile>           :Load image from file (saved by docker)
          load                          :Load image from stdin (saved by docker)
          save -o <imagefile> <repo/image:tag>  :Save image with layers to file

          inspect <repo/image:tag>      :Return low level information on image
          inspect -p <container>        :Return path to container location
          verify <repo/image:tag>       :Verify a pulled or loaded image
          manifest inspect <repo/image:tag> :Print manifest metadata

          protect <repo/image:tag>      :Protect repository
          unprotect <repo/image:tag>    :Unprotect repository
          protect <container>           :Protect container
          unprotect <container>         :Unprotect container

          mkrepo <top-repo-dir>         :Create another repository in location
          setup                         :Change container execution settings
          login                         :Login into docker repository
          logout                        :Logout from docker repository

          help                          :This help
          run --help                    :Command specific help
          version                       :Shows udocker version

        Options common to all commands must appear before the command:
          -D                            :Debug
          --quiet                       :Less verbosity
          --repo=<directory>            :Use repository at directory
          --insecure                    :Allow insecure non authenticated https
          --allow-root                  :Allow execution by root NOT recommended

Examples

Some examples of usage:

Search container images in dockerhub and listing tags.

udocker search  fedora
udocker search  ubuntu
udocker search  debian

udocker search --list-tags ubuntu

Pull from dockerhub and list the pulled images.

udocker pull   fedora:39
udocker pull   busybox
udocker pull   iscampos/openqcd
udocker images

Pull from a registry other than dockerhub.

udocker search  quay.io/bio
udocker search  --list-tags  quay.io/biocontainers/scikit-bio
udocker pull    quay.io/biocontainers/scikit-bio:0.2.3--np112py35_0
udocker images

Pull a different architecture such as arm64 instead of amd64.

udocker manifest inspect centos/centos8
udocker pull --platform=linux/arm64 centos/centos8
udocker tag centos/centos8  mycentos/centos8:arm64

Create a container from a pulled image, assign a name to the created container and run it. A created container can be run multiple times until it is explicitly removed. Files modified or added to the container remain available across executions until the container is removed.

udocker create --name=myfed  fedora:29
udocker run  myfed  cat /etc/redhat-release

The three steps of pulling, creating and running can be also achieved in a single command, however this will be much slower for multiple invocations of the same container, as a new container will be created for each invocation. This approach will also consume more storage space. The following example creates a new container for each invocation.

udocker run  fedora:29  cat /etc/redhat-release

Execute mounting the host /home/u457 into the container directory /home/cuser. Notice that you can "mount" any host directory inside the container. Depending on the execution mode the "mount" is implemented differently and may have restrictions.

udocker run -v /home/u457:/home/cuser -w /home/user myfed  /bin/bash
udocker run -v /var -v /proc -v /sys -v /tmp  myfed  /bin/bash

Place a script in your host /tmp and execute it in the container. Notice that the behavior of --entrypoint changed from the previous versions for better compatibility with docker.

udocker run  -v /tmp  --entrypoint="" myfed  /bin/bash -c 'cd /tmp; ./myscript.sh'

udocker run  -v /tmp  --entrypoint=/bin/bash  myfed  -c 'cd /tmp; ./myscript.sh'

Execute mounting the host /var, /proc, /sys and /tmp in the same container directories. Notice that the content of these container directories will be obfuscated by the host files.

udocker run -v /var -v /proc -v /sys -v /tmp  myfed  /bin/bash

Install software inside the container.

udocker run  --user=root myfed  yum install -y firefox pulseaudio gnash-plugin

Run as some user. The usernames should exist in the container.

udocker run --user 1000:1001  myfed  /bin/id
udocker run --user root   myfed  /bin/id
udocker run --user jorge  myfed  /bin/id

Running Firefox.

udocker run --bindhome --hostauth --hostenv \
   -v /sys -v /proc -v /var/run -v /dev --user=jorge --dri myfed  firefox

Change execution engine mode from PRoot to Fakechroot and run.

udocker setup  --execmode=F3  myfed

udocker run --bindhome --hostauth --hostenv \
   -v /sys -v /proc -v /var/run -v /dev --user=jorge --dri myfed  firefox

Change execution engine mode to accelerated PRoot.

udocker setup  --execmode=P1  myfed

Change execution engine to runc.

udocker setup  --execmode=R1  myfed

Change execution engine to Singularity. Requires the availability of Singularity in the host system.

./udocker setup  --execmode=S1  myfed

Install software running as root emulation in Singularity:

udocker setup  --execmode=S1  myfed
udocker run  --user=root myfed  yum install -y firefox pulseaudio gnash-plugin

Change execution to enable nvidia ready applications. Requires that the nvidia drivers are installed in the host system.

udocker setup  --nvidia  mytensorflow

Security

By default udocker via PRoot offers the emulation of the root user. This emulation mimics a real root user (e.g getuid will return 0). This is just an emulation no root privileges are involved. This feature makes possible the execution of some tools that do not require actual privileges but which refuse to work if the username or id are not root or 0. This enables for instance software installation using rpm, yum or dnf inside the container.

udocker does not offer robust isolation features such as the ones offered by docker. Therefore if the containers content is not trusted then these containers should not be executed with udocker as they will run inside the user environment. For this reason udocker should not be run by privileged users.

Container images and filesystems will be unpacked and stored in the user home directory under $HOME/.udocker or other location of choice. Therefore the containers data will be subjected to the same filesystem protections as other files owned by the user. If the containers have sensitive information the files and directories should be adequately protected by the user.

udocker does not require privileges and runs under the identity of the user invoking it. Users can downloaded udocker and execute it without requiring system administrators intervention.

udocker also provides execution with runc, crun and Singularity, these modes make use of rootless namespaces and enable a normal user to execute as root with the limitations that apply to user namespaces and to these tools.

When executed by normal unprivileged users, udocker limits privilege escalation issues since it does not use or require system privileges.

General Limitations

Since root privileges are not involved any operation that really requires such privileges will not be possible. The following are examples of operations that are not possible:

  • accessing host protected devices and files
  • listening on TCP/IP privileged ports (range below 1024)
  • mount file-systems
  • the su command will not work
  • change the system time
  • changing routing tables, firewall rules, or network interfaces

If the containers require such privilege capabilities then docker should be used instead.

udocker is not meant to create containers. Creation of containers is better performed using docker and dockerfiles.

udocker does not provide all the docker features, and is not intended as a docker replacement.

udocker is mainly oriented at providing a run-time environment for containers execution in user space. udocker is particularly suited to run user applications encapsulated in docker containers.

Debugging or using strace with the PRoot engine will not work as both the d

Core symbols most depended-on inside this repo

err
called by 192
udocker/msg.py
out
called by 154
udocker/msg.py
append
called by 139
udocker/utils/uenv.py
get
called by 128
udocker/utils/curl.py
parse
called by 115
udocker/cmdparser.py
split
called by 71
udocker/utils/uvolume.py
extend
called by 54
udocker/utils/uenv.py
remove
called by 53
udocker/utils/fileutil.py

Shape

Method 1,032
Route 360
Class 82
Function 15

Languages

Python100%

Modules by API surface

tests/unit/test_localrepository.py100 symbols
tests/unit/test_fileutil.py79 symbols
tests/unit/test_dockerioapi.py79 symbols
tests/unit/test_cli.py75 symbols
udocker/container/localrepo.py57 symbols
udocker/docker.py53 symbols
tests/unit/test_execenginecommon.py53 symbols
udocker/utils/fileutil.py47 symbols
udocker/cli.py42 symbols
tests/unit/test_elfpatcher.py39 symbols
tests/unit/test_curl.py36 symbols
tests/unit/test_runc.py34 symbols

Dependencies from manifests, versioned

coverage4.5.1 · 1×
pip9.0.1 · 1×
pycurl7.15.5 · 1×
pytest3.4.2 · 1×
pytest-runner2.11.1 · 1×
tox2.9.1 · 1×
twine1.10.0 · 1×
watchdog0.8.3 · 1×
wheel0.30.0 · 1×

For agents

$ claude mcp add udocker \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact