Frequently Asked Questions
Common Problems Encountered by New Users
Containers are powerful tools for reproducibility and portability, but new users often encounter subtle issues due to how containers isolate environments and interact with the host. Below is a curated list of common pitfalls and their explanations, tailored for JLab users but broadly applicable to scientific workflows.
I’m root in the container — why can’t I access everything?
Answer: Even though you're root inside the container, you're not root on the host. Most systems at JLab use rootless Podman, where your container runs with your actual user permissions. This means host protections like file permissions, SELinux labels, and kernel namespaces still apply. You do not get full host access.
I am able to mount a directory, but I am getting permission denied errors. I can access the directories on the host machine, why can't I access the directory in the container?
Answer: This often happens when:
- The host path doesn’t exist or isn’t accessible.
- You're using a host with SELinux, which may require the
--security-opt label=disableoption. - You forgot to use
--userns=keep-id, which preserves file ownership.
Try:
podman run --rm -it --userns=keep-id --security-opt label=disable -v /my/data:/data jlab/base:alma9.5
When I mount /work, I cannot access my experiments full path.
Answer:
The /work directory is composed of several different locations symlinked together. /work itself is a symlink to /w/work. The separation of ZFS pools exposed as NFS allows for pools to be expanded and shrunk by administrators, and is common in HPC environments. To mount your /work directory it is best practice to mount the full path instead of all of /work.
-v /work/path/to/your/area:/my-work
ℹ️ If you must mount several areas, you resolve the paths by mounting both /work and /w. This is not recommended because it is too broad of a scope. Please use a specific area under your personal experiment and work directory.
I tried to use module load inside my container but got "command not found".
Answer:
The module command is a shell function loaded via environment modules. Vendor-supplied containers do not have the environment modules package installed. Check whether modules.sh exists in /etc/profile.d, and source it if available:
source /etc/profile.d/modules.sh
which module
My container ran fine interactively, but fails in batch mode (Slurm).
Answer: In batch environments:
- Environment variables might not be set the same as in an interactive shell.
- Volumes may be missing if you didn’t include all the needed mounts.
- You may be missing
--userns=keep-idwhich leads to file ownership issues.
My data disappeared when I stopped the container. Where did it go?
Answer: Containers are ephemeral. Any data not saved to a mounted volume will be lost when the container is removed.
Solution: Mount data directories explicitly:
-v /volatile/myjob:/data
ℹ️ You may be able to find the data in a container if it was not removed after execution:
docker container ls -a # Find and start the container used to run analysis
I built a custom image, but others can't use it. Why?
Answer: Images must be pushed to a registry to be shared. Use:
podman login codecr.jlab.org
podman push codecr.jlab.org/myimage:latest
ℹ️ Make sure collaborators also mount any needed directories (e.g.,
/cvmfs,/work,/volatile).
I’m using docker, but it behaves differently than expected.
Answer:
At JLab, docker is aliased to podman. Most commands work the same, but there are differences:
- Use
podman --versionto confirm your environment. Look up differences betweenpodmananddockerfor your version if unexpected behavior occurs.
Why is my container image huge?
Answer: Layered images can grow quickly. Common causes:
- Installing large packages without cleaning up.
- Copying source code or data directly into the image instead of mounting. Tips:
- Use multistage builds.
- Group RUN commands to reduce intermediate layers.
- Mount input/output data at runtime instead of baking it in.
My files show up with a username of nobody and a group of nogroup! What is going on?
Answer:
Nothing is wrong, this is common when groups and users are distributed in HPC clusters from an LDAP source. Instead of users and groups being distirbuted under /etc/passwd or /etc/group, they are determined by sssd. The files you create on disk will have the username and group of the user that started the container. Always prefer to use the --userns=keep-id and avoid using root in the container for unexpected behavior.
Can I mount my full home directory to bring in config files?
Answer:
Not recommended. Your .bashrc, .cshrc, or .profile may conflict with the container's intended environment.
Better approach:
Write a minimal .bashrc specific to the container and mount it explicitly if needed.
Why do I see strange path errors using CVMFS?
General Tips
- Always test containers interactively before running them in Slurm.
- Separate code, data, and configuration — mount only what you need.
- Push your custom containers to codecr.jlab.org for reuse across systems.
- Never assume a path exists in the container — bind it explicitly.
- Prefer
--mountover-vfor clarity and reproducibility in scripts.
--mount type=bind,source=/work,target=/work