Skip to content

Containers and CernVM-FS

Updated version available!

This tutorial was held in Dec 2023, some aspects of it are now outdated.

An updated version of this tutorial was presented in May 2025, see here.

CernVM-FS can also be used to distribute container images, providing many of the same benefits that come with any CernVM-FS installation. Especially the on-demand download of accessed files means that containers start nearly instantly, and are more efficient for large images when only a fraction of the files are read, which is typically the case.

Any CernVM-FS repository can be used to distribute container images (although often, dedicated repositories are used, like /cvmfs/unpacked.cern.ch).

In order to provide de-duplication and on-demand download, images must be stored unpacked. This requires some dedicated tools, provided by CernVM-FS itself - see the section "Ingesting container images" below.

Accessing containers hosted in CernVM-FS via Apptainer

Apptainer is the recommended way to run containers from CernVM-FS, as it can start a container directly from an unpacked root file system, which is ideal for CernVM-FS.

Docker can be used as well but the setup is more complicated, requiring the CernVM-FS graphdriver plugin.

For example, to run the tensorflow/tensorflow:2.15.0-jupyter image from Docker Hub that has been unpacked in /cvmfs/unpacked.cern.ch, use the following commands:

container="registry.hub.docker.com/tensorflow/tensorflow:2.15.0-jupyter"
python_code="import tensorflow as tf; print(tf.__version__)"
apptainer run /cvmfs/unpacked.cern.ch/${container} python -c "${python_code}"

This directory just contains the root file system of the image:

ls /cvmfs/unpacked.cern.ch/registry.hub.docker.com/tensorflow/tensorflow:2.15.0-jupyter

Ingesting container images

CernVM-FS provides a suite of container unpacking tools called cvmfs_ducc (provided by the cvmfs-ducc package). This can be used to unpack and ingest container images by simply running

cvmfs_ducc convert recipe.yaml
where recipe.yaml is a 'wishlist' of container images available in external registries that should be made available:

version: 1
user: cvmfsunpacker
cvmfs_repo: 'unpacked.repo.tld'
input:
    - 'https://registry.hub.docker.com/tensorflow/tensorflow:2.15.0-jupyter'
    ...

For more information, see the CernVM-FS documentation.

Using /cvmfs inside containers

The easiest way to access CernVM-FS repositories from a container is to set it up on the host and bind-mount it inside the container:

docker run -it --volume /cvmfs:/cvmfs:shared ubuntu ls -lna /cvmfs/atlas.cern.ch

For Apptainer, the same can be done by setting the $SINGULARITY_BIND (or $APPTAINER_BIND) environment variable: 

export SINGULARITY_BIND="/cvmfs"

(next: Creating a CernVM-FS repository)