[Beowulf] Containers in HPC
Gerald Henriksen
ghenriks at gmail.com
Thu May 23 06:06:48 PDT 2019
On Thu, 23 May 2019 12:35:13 +0000, you wrote:
>Thanks for the great explanation and clarification. Another question that stems from the below what mechanisms exist in terms of security for the containers to be as secure as a VM?
I know there have been security concerns about Docker (what most
people think of when they talk about containers these days), though I
am not sure what exactly they are.
They obviously won't be as a secure as a VM as they are sharing the
underlying kernel and perhaps a few system libraries, so if a
different container somehow finds a way to compromise the kernel
(maybe not so theoritical in the current Intel era) then there will be
the possiblity of at least getting at any system calls any other
containers make to the kernel.
And at least Docker containers also have the issue that they typically
don't have permanent storage so you need to move any data you want to
keep out of the container prior to killing the container.
Despite that they have a lot of advantages, and for example Fedora has
a project to create a new version of their Gnome Desktop edition using
containers instead of traditional rpm packages called Silverblue, and
this is partly due to the containers additional security over a
traditionally installed application (for example, the ability to
restrict access to the underlying filesystem).
More information about the Beowulf
mailing list