User's containerized applications are launched as part of PegasusLite jobs. PegasusLite job when starting on a remote worker node.
Sets up a directory to run a user job in.
Pulls in all the relevant input data, executables and the container image to that directory
Optionally, loads the container from the container image file and sets up the user to run as in the container (only applicable for Docker containers)
Mounts the job directory into the container as /scratch for Docker containers, while as /srv for Singularity containers.
Container will run a job specific script that figures out the appropriate Pegasus worker to use in the container if not already installed, and sets up the job environment to use it, before launching the user application using pegasus-kickstart.
Optionally, shuts down the container (only applicable for Docker containers)
Ships out the output data to the staging site
Cleans up the directory on the worker node.
The above model, allows for all credential handling required for data transfers to be handled outside the container within the PegasusLite job.