Merge branch 'master' into master

Author: ahvigil

docs/config.md

@@ -104,6 +104,11 @@ The following settings are available:
 `apptainer.noHttps`
 : Pull the Apptainer image with http protocol (default: `false`).
 
+`apptainer.ociAutoPull`
+: :::{versionadded} 23.12.0-edge
+  :::
+: When enabled, OCI (and Docker) container images are pulled and converted to the SIF format by the Apptainer run command, instead of Nextflow (default: `false`).
+
 `apptainer.pullTimeout`
 : The amount of time the Apptainer pull can last, exceeding which the process is terminated (default: `20 min`).
 
@@ -1407,11 +1412,15 @@ The following settings are available:
 `singularity.noHttps`
 : Pull the Singularity image with http protocol (default: `false`).
 
-`singularity.oci`
-: :::{versionadded} 23.11.0-edge
+`singularity.ociAutoPull`
+: :::{versionadded} 23.12.0-edge
   :::
-: Enable OCI-mode, that allows running native OCI-compatible containers with Singularity using `crun` or `runc` as low-level runtime. See `--oci` flag in the [Singularity documentation](https://docs.sylabs.io/guides/4.0/user-guide/oci_runtime.html#oci-mode) for more details and requirements (default: `false`).
+: When enabled, OCI (and Docker) container images are pull and converted to a SIF image file format implicitly by the Singularity run command, instead of Nextflow. Requires Singulairty 3.11 or later (default: `false`).
 
+`singularity.ociMode`
+: :::{versionadded} 23.12.0-edge
+  :::
+: Enable OCI-mode, that allows running native OCI compliant container image with Singularity using `crun` or `runc` as low-level runtime. Note: it requires Singulairty 4 or later. See `--oci` flag in the [Singularity documentation](https://docs.sylabs.io/guides/4.0/user-guide/oci_runtime.html#oci-mode) for more details and requirements (default: `false`).
 
 `singularity.pullTimeout`
 : The amount of time the Singularity pull can last, exceeding which the process is terminated (default: `20 min`).

modules/nextflow/src/main/groovy/nextflow/container/ContainerConfig.groovy

@@ -17,6 +17,7 @@
 package nextflow.container
 
 import groovy.transform.CompileStatic
+import groovy.transform.Memoized
 import groovy.util.logging.Slf4j
 
 /**
@@ -55,8 +56,40 @@ class ContainerConfig extends LinkedHashMap {
         get('engine')
     }
 
-    boolean singularityOciMode() {
-        getEngine()=='singularity' && get('oci')?.toString() == 'true'
+    /**
+     * Whenever Singularity or Apptainer container engine can a OCI (Docker)
+     * image without requiring a separate OCI to SIF conversion execution (managed by Nextflow via {@link SingularityCache).
+     *
+     * @return
+     *  {@code true} when the OCI container can be run without an explicit OCI to SIF conversion or {@code false}
+     *  otherwise
+     *
+     */
+    boolean canRunOciImage() {
+        if( isSingularityOciMode() )
+            return true
+        if( (getEngine()!='singularity' && getEngine()!='apptainer') )
+            return false
+        return get('ociAutoPull')?.toString()=='true'
+    }
+
+    /**
+     * Whenever the Singularity OCI-mode is enabled
+     *
+     * @return {@code true} when Singularity OCI-mode is enabled or {@code false} otherwise
+     */
+    @Memoized
+    boolean isSingularityOciMode() {
+        if( getEngine()!='singularity' ) {
+            return false
+        }
+        if( get('oci')?.toString()=='true' ) {
+            log.warn "The setting `singularity.oci` is deprecated - use `singularity.ociNative` instead"
+            return true
+        }
+        if( get('ociMode')?.toString()=='true' )
+            return true
+        return false
     }
 
     List<String> getEnvWhitelist() {
@@ -93,7 +126,7 @@ class ContainerConfig extends LinkedHashMap {
             return null
         if( eng=='docker' || eng=='podman' )
             return '--rm --privileged'
-        if( singularityOciMode() )
+        if( isSingularityOciMode() )
             return '-B /dev/fuse'
         if( eng=='singularity' || eng=='apptainer' )
             return null

modules/nextflow/src/main/groovy/nextflow/container/ContainerHandler.groovy

@@ -67,7 +67,7 @@ class ContainerHandler {
             final normalizedImageName = normalizeSingularityImageName(imageName)
             if( !config.isEnabled() || !normalizedImageName )
                 return normalizedImageName
-            if( normalizedImageName.startsWith('docker://') && config.singularityOciMode() )
+            if( normalizedImageName.startsWith('docker://') && config.canRunOciImage() )
                 return normalizedImageName
             final requiresCaching = normalizedImageName =~ IMAGE_URL_PREFIX
             if( ContainerInspectMode.active() && requiresCaching )
@@ -79,6 +79,8 @@ class ContainerHandler {
             final normalizedImageName = normalizeApptainerImageName(imageName)
             if( !config.isEnabled() || !normalizedImageName )
                 return normalizedImageName
+            if( normalizedImageName.startsWith('docker://') && config.canRunOciImage() )
+                return normalizedImageName
             final requiresCaching = normalizedImageName =~ IMAGE_URL_PREFIX
             if( ContainerInspectMode.active() && requiresCaching )
                 return imageName

modules/nextflow/src/main/groovy/nextflow/container/DockerBuilder.groovy

@@ -15,29 +15,29 @@
  */
 
 package nextflow.container
+
+
 import groovy.transform.CompileStatic
+import groovy.util.logging.Slf4j
 /**
  * Helper methods to handle Docker containers
  *
  * @author Paolo Di Tommaso <[email protected]>
  */
+@Slf4j
 @CompileStatic
 class DockerBuilder extends ContainerBuilder<DockerBuilder> {
 
     private boolean sudo
 
     private boolean remove = true
 
-    private boolean userEmulation
-
     private String registry
 
     private String name
 
     private boolean tty
 
-    private static final String USER_AND_HOME_EMULATION = '-u $(id -u) -e "HOME=${HOME}" -v /etc/passwd:/etc/passwd:ro -v /etc/shadow:/etc/shadow:ro -v /etc/group:/etc/group:ro -v $HOME:$HOME'
-
     private String removeCommand
 
     private String killCommand
@@ -69,8 +69,8 @@ class DockerBuilder extends ContainerBuilder<DockerBuilder> {
         if( params.containsKey('runOptions') )
             addRunOptions(params.runOptions.toString())
 
-        if ( params.containsKey('userEmulation') )
-            this.userEmulation = params.userEmulation?.toString() == 'true'
+        if ( params.userEmulation?.toString() == 'true' )
+            log.warn1("Undocumented setting `docker.userEmulation` is not supported any more - consider to remove it from your config")
 
         if ( params.containsKey('remove') )
             this.remove = params.remove?.toString() == 'true'
@@ -150,9 +150,6 @@ class DockerBuilder extends ContainerBuilder<DockerBuilder> {
         if( temp )
             result << "-v $temp:/tmp "
 
-        if( userEmulation )
-            result << USER_AND_HOME_EMULATION << ' '
-
         // mount the input folders
         result << makeVolumes(mounts)
         result << '-w "$NXF_TASK_WORKDIR" '

modules/nextflow/src/main/groovy/nextflow/container/SingularityBuilder.groovy

@@ -39,7 +39,7 @@ class SingularityBuilder extends ContainerBuilder<SingularityBuilder> {
 
     private String runCmd0
 
-    private Boolean oci
+    private Boolean ociMode
 
     SingularityBuilder(String name) {
         this.image = name
@@ -94,8 +94,11 @@ class SingularityBuilder extends ContainerBuilder<SingularityBuilder> {
         if( params.containsKey('readOnlyInputs') )
             this.readOnlyInputs = params.readOnlyInputs?.toString() == 'true'
 
-        if( params.oci!=null )
-            oci = params.oci.toString() == 'true'
+        // note: 'oci' flag should be ignored by Apptainer sub-class
+        if( params.oci!=null && this.class==SingularityBuilder )
+            ociMode = params.oci.toString() == 'true'
+        else if( params.ociMode!=null && this.class==SingularityBuilder )
+            ociMode = params.ociMode.toString() == 'true'
 
         return this
     }
@@ -122,11 +125,11 @@ class SingularityBuilder extends ContainerBuilder<SingularityBuilder> {
         if( !homeMount )
             result << '--no-home '
 
-        if( newPidNamespace && !oci )
+        if( newPidNamespace && !ociMode )
             result << '--pid '
 
-        if( oci != null )
-            result << (oci ? '--oci ' : '--no-oci ')
+        if( ociMode != null )
+            result << (ociMode ? '--oci ' : '--no-oci ')
 
         if( autoMounts ) {
             makeVolumes(mounts, result)
@@ -154,7 +157,7 @@ class SingularityBuilder extends ContainerBuilder<SingularityBuilder> {
         makeEnv('TMP',result) .append(' ')
         makeEnv('TMPDIR',result) .append(' ')
         // add magic variables required by singularity to run in OCI-mode
-        if( oci ) {
+        if( ociMode ) {
             result .append('${XDG_RUNTIME_DIR:+XDG_RUNTIME_DIR="$XDG_RUNTIME_DIR"} ')
             result .append('${DBUS_SESSION_BUS_ADDRESS:+DBUS_SESSION_BUS_ADDRESS="$DBUS_SESSION_BUS_ADDRESS"} ')
         }

modules/nextflow/src/main/groovy/nextflow/processor/PublishDir.groovy

@@ -134,7 +134,7 @@ class PublishDir {
     }
 
     protected Map<String,Path> getTaskInputs() {
-        return task?.getInputFilesMap()
+        return task ? task.getInputFilesMap() : Map.<String,Path>of()
     }
 
     void setPath( def value ) {
@@ -294,6 +294,7 @@ class PublishDir {
         this.sourceDir = task.targetDir
         this.sourceFileSystem = sourceDir.fileSystem
         this.stageInMode = task.config.stageInMode
+        this.task = task
 
         apply0(files)
     }

modules/nextflow/src/main/groovy/nextflow/scm/BitbucketRepositoryProvider.groovy

@@ -50,7 +50,7 @@ final class BitbucketRepositoryProvider extends RepositoryProvider {
 
     @Override
     String getContentUrl( String path ) {
-        final ref = revision ?: getMainBranch()
+        final ref = revision ? getRefForRevision(revision) : getMainBranch()
         return "${config.endpoint}/api/2.0/repositories/$project/src/$ref/$path"
     }
 
@@ -62,6 +62,11 @@ final class BitbucketRepositoryProvider extends RepositoryProvider {
         invokeAndParseResponse(getMainBranchUrl()) ?. mainbranch ?. name
     }
 
+    private String getRefForRevision(String revision){
+        final resp = invokeAndParseResponse("${config.endpoint}/api/2.0/repositories/$project/refs/branches/$revision")
+        return resp?.target?.hash
+    }
+
     @Memoized
     protected <T> List<T> invokeAndResponseWithPaging(String url, Closure<T> parse) {
         final result = new ArrayList<T>(50)

modules/nextflow/src/test/groovy/nextflow/container/ApptainerBuilderTest.groovy

@@ -153,6 +153,11 @@ class ApptainerBuilderTest extends Specification {
                 .build()
                 .runCommand == 'set +u; env - PATH="$PATH" ${TMP:+APPTAINERENV_TMP="$TMP"} ${TMPDIR:+APPTAINERENV_TMPDIR="$TMPDIR"} apptainer exec --no-home -B "$NXF_TASK_WORKDIR" ubuntu'
 
+        new ApptainerBuilder('ubuntu')
+            .params(oci: true)
+            .build()
+            .runCommand == 'set +u; env - PATH="$PATH" ${TMP:+APPTAINERENV_TMP="$TMP"} ${TMPDIR:+APPTAINERENV_TMPDIR="$TMPDIR"} apptainer exec --no-home --pid -B "$NXF_TASK_WORKDIR" ubuntu'
+
     }
 
     def 'should mount home directory if specified' () {

modules/nextflow/src/test/groovy/nextflow/container/ContainerConfigTest.groovy

@@ -61,24 +61,34 @@ class ContainerConfigTest extends Specification {
 
     }
 
-
-    def 'should validate oci mode' () {
+    @Unroll
+    def 'should validate oci mode and direct mode' () {
 
         when:
         def cfg = new ContainerConfig(OPTS)
         then:
-        cfg.singularityOciMode() == EXPECTED
+        cfg.isSingularityOciMode() == OCI_MODE
+        cfg.canRunOciImage() == AUTO_PULL
 
         where:
-        OPTS                                | EXPECTED
-        [:]                                 | false
-        [oci:false]                         | false
-        [oci:true]                          | false
-        [engine:'apptainer', oci:true]      | false
-        [engine:'docker', oci:true]         | false
-        [engine:'singularity']              | false
-        [engine:'singularity', oci:false]   | false
-        [engine:'singularity', oci:true]    | true
+        OPTS                                        | OCI_MODE  | AUTO_PULL
+        [:]                                         | false     | false
+        [oci:true]                                  | false     | false
+        [oci:false]                                 | false     | false
+        [ociMode:true]                              | false     | false
+        and:
+        [engine:'docker', oci:true]                 | false     | false
+        [engine:'singularity']                      | false     | false
+        [engine:'singularity', oci:false]           | false     | false
+        [engine:'singularity', ociAutoPull:false]   | false     | false
+        and:
+        [engine:'singularity', oci:true]            | true      | true
+        [engine:'singularity', ociMode:true]        | true      | true
+        [engine:'apptainer', oci:true]              | false     | false
+        [engine:'apptainer', ociMode:true]          | false     | false
+        and:
+        [engine:'singularity', ociAutoPull:true]    | false         | true
+        [engine:'apptainer', ociAutoPull:true]      | false         | true
 
     }
 
@@ -96,7 +106,9 @@ class ContainerConfigTest extends Specification {
         [engine:'podman']                               | '--rm --privileged'
         and:
         [engine: 'singularity']                         | null
-        [engine: 'singularity', oci:true]               | '-B /dev/fuse'
+        [engine: 'singularity', ociMode:true]           | '-B /dev/fuse'
+        [engine: 'singularity', ociAutoPull: true]      | null
+        [engine: 'apptainer', oci:true]                 | null
         and:
         [engine:'docker', fusionOptions:'--cap-add foo']| '--cap-add foo'
         [engine:'podman', fusionOptions:'--cap-add bar']| '--cap-add bar'

modules/nextflow/src/test/groovy/nextflow/container/ContainerHandlerTest.groovy

@@ -205,7 +205,7 @@ class ContainerHandlerTest extends Specification {
     def 'test normalize method for singularity' () {
         given:
         def BASE = Paths.get('/abs/path/')
-        def handler = Spy(new ContainerHandler(engine: 'singularity', enabled: true, oci:OCI, baseDir: BASE))
+        def handler = Spy(new ContainerHandler(engine: 'singularity', enabled: true, ociMode: OCI, baseDir: BASE))
 
         when:
         def result = handler.normalizeImageName(IMAGE)
@@ -233,6 +233,54 @@ class ContainerHandlerTest extends Specification {
 
     }
 
+    @Unroll
+    def 'test normalize method for OCI direct mode' () {
+        given:
+        def BASE = Paths.get('/abs/path/')
+        def handler = Spy(new ContainerHandler(engine: 'apptainer', enabled: true, ociAutoPull:AUTO, baseDir: BASE))
+
+        when:
+        def result = handler.normalizeImageName(IMAGE)
+
+        then:
+        1 * handler.normalizeApptainerImageName(IMAGE) >> NORMALIZED
+        X * handler.createApptainerCache(handler.config, NORMALIZED) >> EXPECTED
+        result == EXPECTED
+
+        where:
+        IMAGE                                       | NORMALIZED                                        | ENGINE            | AUTO  | X | EXPECTED
+        null                                        | null                                              | 'singularity'     | false |           0 | null
+        ''                                          | null                                              | 'singularity'     | false |           0 | null
+        '/abs/path/bar.img'                         | '/abs/path/bar.img'                               | 'singularity'     | false |           0 | '/abs/path/bar.img'
+        '/abs/path bar.img'                         | '/abs/path bar.img'                               | 'singularity'     | false |           0 | '/abs/path\\ bar.img'
+        'file:///abs/path/bar.img'                  | '/abs/path/bar.img'                               | 'singularity'     | false |           0 | '/abs/path/bar.img'
+        'foo.img'                                   | Paths.get('foo.img').toAbsolutePath().toString()  | 'singularity'     | false |           0 | Paths.get('foo.img').toAbsolutePath().toString()
+        'shub://busybox'                            | 'shub://busybox'                                  | 'singularity'     | false |           1 | '/path/to/busybox'
+        'docker://library/busybox'                  | 'docker://library/busybox'                        | 'singularity'     | false |           1 | '/path/to/busybox'
+        'foo'                                       | 'docker://foo'                                    | 'singularity'     | false |           1 | '/path/to/foo'
+        'library://pditommaso/foo/bar.sif:latest'   | 'library://pditommaso/foo/bar.sif:latest'         | 'singularity'     | false |           1 | '/path/to/foo-bar-latest.img'
+        and:
+        'docker://library/busybox'                  | 'docker://library/busybox'                        | 'singularity'     | true  |           0 | 'docker://library/busybox'
+        'shub://busybox'                            | 'shub://busybox'                                  | 'singularity'     | true  |           1 | '/path/to/busybox'
+
+        and:
+        null                                        | null                                              | 'apptainer'     | false |           0 | null
+        ''                                          | null                                              | 'apptainer'     | false |           0 | null
+        '/abs/path/bar.img'                         | '/abs/path/bar.img'                               | 'apptainer'     | false |           0 | '/abs/path/bar.img'
+        '/abs/path bar.img'                         | '/abs/path bar.img'                               | 'apptainer'     | false |           0 | '/abs/path\\ bar.img'
+        'file:///abs/path/bar.img'                  | '/abs/path/bar.img'                               | 'apptainer'     | false |           0 | '/abs/path/bar.img'
+        'foo.img'                                   | Paths.get('foo.img').toAbsolutePath().toString()  | 'apptainer'     | false |           0 | Paths.get('foo.img').toAbsolutePath().toString()
+        'shub://busybox'                            | 'shub://busybox'                                  | 'apptainer'     | false |           1 | '/path/to/busybox'
+        'docker://library/busybox'                  | 'docker://library/busybox'                        | 'apptainer'     | false |           1 | '/path/to/busybox'
+        'foo'                                       | 'docker://foo'                                    | 'apptainer'     | false |           1 | '/path/to/foo'
+        'library://pditommaso/foo/bar.sif:latest'   | 'library://pditommaso/foo/bar.sif:latest'         | 'apptainer'     | false |           1 | '/path/to/foo-bar-latest.img'
+        and:
+        'docker://library/busybox'                  | 'docker://library/busybox'                        | 'apptainer'     | true  |           0 | 'docker://library/busybox'
+        'shub://busybox'                            | 'shub://busybox'                                  | 'apptainer'     | true  |           1 | '/path/to/busybox'
+
+
+    }
+
     def 'should not invoke caching when engine is disabled' () {
         given:
         final handler = Spy(new ContainerHandler([engine: 'singularity']))

modules/nextflow/src/test/groovy/nextflow/container/DockerBuilderTest.groovy

@@ -97,11 +97,6 @@ class DockerBuilderTest extends Specification {
                 .build()
                 .runCommand == 'docker run -i -v "$NXF_TASK_WORKDIR":"$NXF_TASK_WORKDIR" -w "$NXF_TASK_WORKDIR" -x --zeta busybox'
 
-        new DockerBuilder('busybox')
-                .params(userEmulation:true)
-                .build()
-                .runCommand == 'docker run -i -u $(id -u) -e "HOME=${HOME}" -v /etc/passwd:/etc/passwd:ro -v /etc/shadow:/etc/shadow:ro -v /etc/group:/etc/group:ro -v $HOME:$HOME -v "$NXF_TASK_WORKDIR":"$NXF_TASK_WORKDIR" -w "$NXF_TASK_WORKDIR" busybox'
-
         new DockerBuilder('busybox')
                 .setName('hola')
                 .build()