Open OnDemand schedules/manages its own kind of tasks alongside integrating with various workload schedulers using a CLI utility that wraps nginx named nginx_stage.
Open OnDemand is capable of requesting resources via configured clusters (e.g. use Slurm to start a Jupyter Server session on a distributed environment with 48 GPUs allocated to it), but Open OnDemand also manages processes locally with nginx_stage which isn’t captured by the container context diagram. For example, Open OnDemand will schedule a dashboard session locally that is namespaced to each logged in user - the nginx process is run as the effective uid and gid of the logged in user. There are other applications run locally as well such as a file explorer and web-based terminal. nginx_stage needs escalated privileges to manage the different nginx processes running for each user.
I have tried, but I cannot use strict confinement as Open OnDemand is also very much an IDE as an HPC workload orchestration agent.
Open OnDemand will run interactive applications locally via nginx_stage, and some of those applications need generous access to the underlying host. For example, the “File Explorer” application is used by many Open OnDemand users to manage their files on the supercomputing cluster, and the “File Editor” application is used to edit files on the cluster. The home, personal-files, and system-files are not sufficient here as Open OnDemand users will commonly access files outside their home directory due to limited storage quotas; it would be too onerous to map every possible directory/file that users would want to access on the cluster. There’s many different ways an supercomputing facilities may chose to set up the cluster file system, and the users’ requirements are heterogeneous, so they expect a wide range of flexibility. This is a similar reason to why Spack needed classic confinement: Request for classic confinement: Spack.
Open OnDemand is an IDE similar to PyCharm or VSCode where there’s a built-in file explorer and editor, but rather than having a dedicated window on the desktop, you instead access its various tools and applications through the web browser instead. Let me know if you have any further questions 