Setting up a Kubernetes Cluster based on Singularity

Kubernetes supports multiple container runtimes through its Container Runtime Interface (CRI). As a result, besides the typical default choice of Docker (containerd) one can also use a variety of other drop-in replacements, such as cri-o. This article will discuss another option, namely Singularity.

Singularity has a few important advantages which make it an interesting choice as the basis for a Kubernetes cluster. Singularity is designed specifically to be usable by unprivileged users for reliable security, and to be suited to use in High Performance Computing. As a result, Singularity is already familiar to most HPC system administrators. Introducing new infrastructure software to a computing center is a potentially major step, so it is useful to leverage tools which are already available and whose possible pitfalls are already understood.

At the time of writing, the Singularity CRI implementation is still in beta testing, so it may not yet be suitable for a major deployment. However, in our testing it has performed solidly, and is well worth trying out.

Documentation for the Singularity CRI is located at the main Sylabs documentation site and also in the code repository. The instructions provided there are sufficient to set up a Kubernetes cluster when combined with a typical approach to using kubeadm, but for convenience we will show how to combine the two together into a single workflow. For simplicity this guide assumes a fresh CentOS 7 system, but the procedure should be applicable to other distributions with only minor adjustments.

Many of the following commands need to be run as superuser, so it is probably a good idea to sudo su - before beginning.

First, several packages must be installed, some of which are found in EPEL.

yum update -y # updating installed packages is a good first step, but can take a while
yum install -y epel-release
yum install -y singularity-runtime singularity git socat golang gcc libseccomp-devel

Next, grab a copy of the Singularity CRI source code and compile it. This step will hopefully become a simpler package installation soon, once the beta period ends. Nonetheless, building and installing should take only a few seconds.

git clone
cd singularity-cri
git checkout tags/v1.0.0-beta.7 -b v1.0.0-beta.7
make install

Then, create a systemd unit file to handle running the CRI for you:

cat <<EOF > /etc/systemd/system/sycri.service



systemctl enable sycri
systemctl start sycri

At this point all singularity components should be ready to go, and you are ready to start installing Kubernetes.

Kubernetes has strong opinions about how a system must be configured before it will run, so it may be necessary to make the following changes:

# Disable SELinux
setenforce 0
sed -i --follow-symlinks 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux

# Disable swap
swapoff -a
sed -e '/swap/s/^/#/g' -i /etc/fstab

The kubernetes packages can be installed with yum after configuring the appropriate repository:

cat <<EOF > /etc/yum.repos.d/kubernetes.repo

yum install -y kubelet-1.16.7 kubeadm-1.16.7 kubectl-1.16.7 --disableexcludes=kubernetes
systemctl enable kubelet

Next, it’s necessary to tell the kubernetes kubelet that you want it to use the Singularity CRI:

cat > /etc/default/kubelet << EOF
  KUBELET_EXTRA_ARGS=--container-runtime=remote \
  --container-runtime-endpoint=unix:///var/run/singularity.sock \

For Kubernetes networking to behave correctly, the br_netfilter module needs to be loaded. You can check whether it is by running

lsmod | grep br_netfilter

If that produces no output, the module is not loaded, and you should run

modprobe br_netfilter

after which, rerunning the previous command should show something.

You can then set the necessary network settings for Kubernetes:

cat <<EOF >  /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
sysctl --system

Finally, it is time to initialize the Kubernetes cluster itself. It’s important to pick the correct CIDR range for the networking plugin you plan to use; here we use the range favored by Calico:

kubeadm init --pod-network-cidr= --cri-socket unix:///var/run/singularity.sock

If you are running firewalld, it will need to be configured to open the ports used by Kubernetes:

firewall-cmd --permanent --add-port=6443/tcp
firewall-cmd --permanent --add-port=10250/tcp

At this point there are only a few more steps to being able to use the cluster. First, tell kubectl where to find your administrator config so that you can use it to complete the set-up:

export KUBECONFIG=/etc/kubernetes/admin.conf

At this point you should be able to run kubectl get nodes to see that you have a master node, but it is in the Notready state. To correct this, install your networking plugin:

kubectl apply -f

Your node should now enter the Ready state, but it will only accept pods concerned with running Kubernetes itself. To use the cluster more generally with just this single node, you can remove the taint which keeps away non-system pods:

kubectl taint nodes --all

Your cluster should now be ready to use. You can test it out by running an example ‘Hello world’ server as follows:

kubectl run hello --port=8080 --generator=run-pod/v1
kubectl expose pod hello --target-port=8080 --type=NodePort

You can watch its progress starting up with

kubectl get pods -l 'run=hello' -w

which should run for a few seconds until it reports that your pod has status ‘Running’ and ‘1/1’ containers ready, at which point you can press Ctrl+C to stop watching. With your pod running, you can run the following command to determine the address at which it can be contacted:

echo 'http://'$(kubectl get pods -l 'run=hello' -o jsonpath='{.items[0].status.hostIP}')':'$(kubectl get services -l 'run=hello' -o jsonpath='{.items[0].spec.ports[0].nodePort}')

You can either use curl to request the resulting address, or, if your machine is rechable from the public internet you can simply put it into a web browser. Either way, you should see the ‘Hello world’ message from your nginx server.

When you are done with your nginx, you can shut it down with kubectl delete pod hello; kubectl delete service hello.

An interesting point to note here is that the nginx image used here is a Docker image, not a Singularity image. Singularity still ran it all the same, handling the necessary conversion completely transparently.

Updated 2020-03-04 to use the latest beta version of the Singularity CRI, and a slightly old, but known good version of Kubernetes.

The SLATE Team