[Beowulf] Docker vs KVM paper by IBM

Jason Riedy jason at lovesgoodfood.com
Wed Jan 28 12:39:08 PST 2015

And Gavin W. Burris writes:
> Great, but then how do you patch for critical vulns?

Beyond all the other responses (with which I agree), consider the
current GHOST issue.  If the possibly vulnerable bits are within
container images, then for batch jobs exposure ends once the image
is finished running.  Some vetting of images given external network
access always will be required, and that can handle checking for
vulnerabilities.  Heck, they can be run and metasploit-scanned
internally for severe testing.

A node's base system likely has far fewer security surfaces exposed
and can be rebooted into a new base image as soon as the running
job is over, just like now only without possibly having other
updates occur that interfere with user application stacks.

So much simpler assuming your cluster is used for running more than
a few fixed applications.

Building a good image will be simpler with well-behaved software, so
quality still can be rewarded.  But the growing quantity of crap
software from a system level that produces useful science results
can be supported without the current levels of pain.

More information about the Beowulf mailing list