feat: adds ability to specify container options in process-compose.yml #249
Conversation
This introduces several new options in the configuration files. These options are ignored if `is_container` is not set to `true` or if `container_runtime` is not set to apptainer. This could be expanded to allow for other container tools like podman, singularity, docker, etc, but for right now it is just configured with apptainer in mind. The new options include: ``` is_container bool container_runtime string (apptainer, singularity, podman, etc) container_execution string (exec, run, etc) container_volumes []string (Each container runtime has a different way to define volumes, right now I'm only considering apptainer volumes which are defined with a -B/--bind container_image string (full path to .sif or OCI path) container_args []string (additional arguments to pass to the container runtime) ```
|
|
How things will work on Windows/Mac? Process-Compose is cross platform, so some ideas on at least one more platform could be cool? Why extra lines to be added by Process-Compose yaml config instead of using just command line like Imho integration with app sandboxes of Windows/MacOs Sandbox may be better things?
And linux:
These technologies are faster REPL/startup/build time than containers/vms and may appear better fit long term Process-Compose Also some previous idea about containers #87 |
|
Thanks for the response!
My hope was that this would lay the foundation for additional "container" tools on Windows/Mac. Apptainer works on Mac with some work. I'm not sure if it works on WSL on Windows, but this work would be very similar for podman, which works on both windows and mac and docker.
I was originally doing what you're talking about here, but these apptainer commands can quickly become very long and complex, especially as bind paths are added. I liked the idea of it matching the docker compose style for things like this, but still being very powerful when not using docker compose. I guess I was trying to get the best of both worlds if that makes sense.
I do not think process compose TUI or the process lifecycle need to be changed. One of the benefits of apptainer/singularity is that the containers can just be ran as executables like any other app.
I was not aware of these as I work almost entirely in linux. These are very cool though and I could see the benefit of having something like that as well.
I havne't personally used Nix so I don't know the benefit there. I use cgroups as more of a means to control how many resources a process/set of processes has access to. I've only used chroot to build images. I'm not sure the benefit here.
Sure, I could see the benefit for adding support for these too.
I like your use case here with the separate environments and cgroups. Apptainer has some of that built in so you can control the containers with cgroups which means you wouldn't need process compose to do that. |
|
TLDR; Imho there should be more deep thinking on container integration.
Unlike containers, I guess people may expect PC(process compose) to work on all platforms with less right or configs. And it to support HOST OS on HOST OS runs. I would expect Mac to work on Mac and Windows on Windows. Because PC does that.
As long as apptainer is linux or mac only, it may put commands into sh scripts and call them, as fallback. Also containers bring bad things too - need to build image. Most builder to copies of files instead doing links (doing links is not portable). So containers bring worth of both words too.
If process lifecycle or TUI would need changes, it would mean that there is something which needs active integration of containers with PC. So it would be pro containers argument. Currently argument is only long scripts.
I am not expert in any of this, so worked with all. PC allows to build host binaries on host and use them without building containers. Containers may require build in container(HOST<-> GUEST OS), and copy a lot of files. That is slow. If Apptainer on Mac can run Mac osses and allows to link binaries from host instead of copying (slow), than it is very good and I am for it. But is it? As for nix, nix is just *nix. In the end any nix thing is just set of traditional bash and configs files. So for linux idea that I do not need to install anything to do buildFHSEnv/cgroups/chroot/etc on Linux to get container like behaviour (for testing at least, not security) and fast REPL(can reuse host files). Similar for Mac and Windows. If on Linux Apptainer is shortcut for light isolation without a lot of file copying(without long time to take to build container, but more like just linking host files) than it is super good (I used nix as example as it provides such feature out of box). Windows/Mac/Linux has similar technologies to:
than these technologies are more likely to be better fit for Process Compose than Apptainer(or Containers). Specific techs of aternatives/references:
|
|
Here is other set of tools for Linux which seems do not require container build step for isolation https://news.ycombinator.com/item?id=42944858 . Process compose awesome as no need to build anything - just use existing binary. |
This looks great! |
|
this one has reasonable requirements list for tech which fits for PC: https://github.com/Zouuup/landrun
and can add:
as for darwin, there is no Go module to use as for windows, seems can use TLDR; On Linux people can use directly Landrun for example or any other isolation. No viable to do anything for Mac/Windows. But if not support for Mac/Windows, does not seems need it to be part of PC?. |
You can execute SIF files "on" macOS, by wrapping them in For the Lima project there is an https://github.com/lima-vm/lima/blob/master/cmd/apptainer.lima It is basically the same idea as with Docker or Podman, you set up a VM and then call out to it with SSH or API. With some added complexity of transporting files back and forth, either over a networked filesystems or tarball. So when we execute the SIF file with If the initial startup is a concern, then the command could call a local path but then the illusion would break. |
|
|
Isolation for windows as per Gemini: https://learn.microsoft.com/en-us/windows/win32/secauthz/appcontainer-for-legacy-applications- https://github.com/sandboxie-plus/Sandboxie I believe that Mac and Windows sandboxes can be commercial proposition of PC on Mac and Windows stores. |
It got a little better with virtiofs, before with virtfs (9p) it was rather slow - like slower than NFS, even if the "server" is really close (localhost)... The only way to get decent performance is to keep the files on the native disk image (in Linux)
The client portion is cross-platform, but the server is Linux-only (we did experiment with FreeBSD, but same difference). The most promising way to make cross-platform binaries is to run wasm containers, which is a separate story...
There are some pros and cons between SIF and OCI, and even new hybrids like OCI-SIF. And yes, if everyone ran Linux it would just be processes. Of course, that also assumes that everyone runs the same distro and there are no dependencies. But yeah, you could accomplish more or less the same thing with When docker/podman imports to their storage, it's not very different to apptainer importing into a sif. But if you want to run OCI containers with compose, I guess you would just use Or perhaps |
|
Here was my comparison, between the technologies. As in SIF versus OCI. $ apptainer pull docker://python
INFO: Converting OCI blobs to SIF format
INFO: Starting build...
INFO: Fetching OCI image...
5.9MiB / 5.9MiB [=====================================================================================] 100 % 0.0 b/s 0s
46.2MiB / 46.2MiB [===================================================================================] 100 % 0.0 b/s 0s
22.9MiB / 22.9MiB [===================================================================================] 100 % 0.0 b/s 0s
201.6MiB / 201.6MiB [=================================================================================] 100 % 0.0 b/s 0s
61.4MiB / 61.4MiB [===================================================================================] 100 % 0.0 b/s 0s
26.1MiB / 26.1MiB [===================================================================================] 100 % 0.0 b/s 0s
INFO: Extracting OCI image...
INFO: Inserting Apptainer configuration...
INFO: Creating SIF file...
[=============================================================================================================] 100 % 0s
$ ./python_latest.sif python hello.py
Hello, World!$ podman pull python
$ podman save --format=oci-archive python:latest >python_latest.tar
$ podman run -v $PWD:/pwd oci-archive:python_latest.tar python /pwd/hello.py
Getting image source signatures
Copying blob 9d9e1c31ad9a skipped: already exists
Copying blob 579c7fb4fb83 skipped: already exists
Copying blob 3ae679bbed48 skipped: already exists
Copying blob 4c5aa3578368 skipped: already exists
Copying blob a2db8f7484d4 skipped: already exists
Copying blob 14a930caa7fd skipped: already exists
Copying blob 81cb21bc73a0 skipped: already exists
Copying config 07e1786f1f done |
Writing manifest to image destination
Hello, World!Podman normally suggests using systemd (with quadlets), instead of compose. And of course, normally you would just run "python", rather than from an archive: $ podman run -v $PWD:/pwd docker.io/library/python:latest python /pwd/hello.py
Hello, World!But then you need the registry (docker.io) to be available, if image is not present. Note: the above runs the podman command as root (in the container) for simplicity, It also assumes that the current directory is available for mounting in the container. For python only, using a local "virtual environment" (venv) would make more sense. |
|
for mac it is here too https://github.com/AkihiroSuda/alcless (used by coding agents). |
I have been utilizing process compose for a few weeks now. I think it's a great tool, but there are a couple of challenges where I'm trying to utilize it in places it may not have been meant to be used in. In an attempt to fix this and improve this tool, I'd like to propose adding some additional process configuration options.
Background
There is a containerization tool in high performance computing that functions similarly to docker but can function without root permissions. This tool is called Apptainer. It can do many of the same tasks as docker without needing the docker permissions. However the tooling around apptainer is not as mature as docker as it is not used by nearly as many people.
Here is an example of running a command with apptainer:
my_container.sifis a single executable file. Not the definition file, but the built container that can be transported. I can create it from scratch or by pulling existing apptainer or docker containers.I can do this with process-compose as it currently exists, but I think it makes more sense to have some additional functionality for clarity and config cleanliness.
Here's an example of running a python API.
This PR would allow it to be defined as:
I think this makes it more clear, and more similar to docker compose (without the need for docker and other strengths provided by process-compose :) )
Contributions
This PR adds the following options:
These options are ignored if
is_containeris not set totrueor ifcontainer_runtimeis not set to apptainer. This could be expanded to allow for other container tools like podman, singularity, docker, etc, but for right now it is just configured with apptainer in mind as that's the only app I have to test at the moment.If there are any questions or feedback on this, please let me know. Thanks!