[Beowulf] Containers in HPC
josip at lanl.gov
Thu May 23 07:13:12 PDT 2019
"Charliecloud" is a more secure approach to containers in HPC:
> Charliecloud uses Linux user namespaces to run containers with no
> privileged operations or daemons and minimal configuration changes on
> center resources. This simple approach avoids most security risks
> while maintaining access to the performance and functionality already
> on offer.
> Container images can be built using Docker or anything else that can
> generate a standard Linux filesystem tree.
On 5/23/19 7:06 AM, Gerald Henriksen wrote:
> On Thu, 23 May 2019 12:35:13 +0000, you wrote:
>> Thanks for the great explanation and clarification. Another question that stems from the below what mechanisms exist in terms of security for the containers to be as secure as a VM?
> I know there have been security concerns about Docker (what most
> people think of when they talk about containers these days), though I
> am not sure what exactly they are.
> They obviously won't be as a secure as a VM as they are sharing the
> underlying kernel and perhaps a few system libraries, so if a
> different container somehow finds a way to compromise the kernel
> (maybe not so theoritical in the current Intel era) then there will be
> the possiblity of at least getting at any system calls any other
> containers make to the kernel.
> And at least Docker containers also have the issue that they typically
> don't have permanent storage so you need to move any data you want to
> keep out of the container prior to killing the container.
> Despite that they have a lot of advantages, and for example Fedora has
> a project to create a new version of their Gnome Desktop edition using
> containers instead of traditional rpm packages called Silverblue, and
> this is partly due to the containers additional security over a
> traditionally installed application (for example, the ability to
> restrict access to the underlying filesystem).
> Beowulf mailing list, Beowulf at beowulf.org sponsored by Penguin Computing
> To change your subscription (digest mode or unsubscribe) visit https://beowulf.org/cgi-bin/mailman/listinfo/beowulf
Dr. Josip Loncaric, LANL, MS-T001, P.O. Box 1663, Los Alamos, NM 87545
mailto:josip at lanl.gov Cell: +1-505-412-8490 Phone: +1-505-412-6538
E Pluribus Unum
More information about the Beowulf