The Living Thing / Notebooks :

Containerized apps

Doing things that previously took 1.5 computers using 1 computer

These are rapidly evolving standards. Check the timestamps on any advice.

The other, lighter, hipper alternative to virtual machines, which, AFAICT, attempts to make provisioning more like installing an app than building a computer, because it aims to containerise apps rather than OSes, which emphasis leads to less dicking around, but somehow even more webinars.

There are two ideas I ahve kind of confounded here

  1. packaging things up neatly
  2. sandboxing them in their own little environments

I should separate them.

The most common apps this is down for are, AFAICT, Linux-ish, but you cn shorehorn those into Windos/macOS, and probalby equivalents exist for windows/macOs.

Docker

The most common way of doing this.

Docker Gotchas

Handling passwords is fiddly – see secrets.

Do you get the following error?

Error response from daemon: Get https://registry-1.docker.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

According to thaJeztah, the solution is to use google DNS for docker. (or presumably someothernon-awful DNS) You can set this by providing a JSON configuration in the preference panel (under daemon -> advanced), e.g

{ "dns": [ "8.8.8.8", "8.8.4.4" ]}

Docker for reproducible research

Docker may not be the ultimate tool for reproducible research but it is a start. (TODO: fact-check the linked article.)

…How do you get your data in?

Tiffany Timbers gives a brisk run-through for academics.

Jon Zelner goes in-depth with R in a series culminating in continuous integration for science.

Reproducible research tuts has a docker (plus also VM-backed) tutorial.

Singularity

Singularity promises potentially useful container infrastructure.

Singularity provides a single universal on-ramp from the laptop, to HPC, to cloud.

USERS OF SINGULARITY CAN BUILD APPLICATIONS ON THEIR DESKTOPS AND RUN HUNDREDS OR THOUSANDS OF INSTANCES—WITHOUT CHANGE—ON ANY PUBLIC CLOUD.

Features include:

Released in 2016, Singularity is an open source-based container platform designed for scientific and high-performance computing (HPC) environments. Used by more than 25,000 top academic, government, and enterprise users, Singularity is installed on more than 3 million cores and trusted to run over a million jobs each day.

In addition to enabling greater control over the IT environment, Singularity also supports Bring Your Own Environment (BYOE)—where entire Singularity environments can be transported between computational resources (e.g., users’ PCs) with reproducibility.

GUIs

GUI comparison

LXC

LXC is another containerization standard. Because docker is a de facto default, let’s look at this in terms of docker

Firejail

archlinux says >Firejail is an easy to use SUID sandbox >program that reduces the risk of security breaches by restricting the running >environment of untrusted applications using Linux namespaces, seccomp-bpf and >Linux capabilities.

nachoparker’s intro is comprehensible.

Bubblewrap

Abstracted from the app standard Flatpak is bubblewrap.

Many container runtime tools like systemd-nspawn, docker, etc. focus on providing infrastructure for system administrators and orchestration tools (e.g. Kubernetes) to run containers.

These tools are not suitable to give to unprivileged users, because it is trivial to turn such access into to a fully privileged root shell on the host.

Rumour is it is more secure than Firejail because it doesn’t support all the many things firejail does (but this means that eg it doesn’t support audio)