"Charliecloud" is a more secure approach to containers in HPC:
https://phys.org/news/2017-06-charliecloud-big-supercomputing.html
https://permalink.lanl.gov/object/tr?what=info:lanl-repo/lareport/LA-UR-16-22370
https://github.com/hpc/charliecloud
Charliecloud uses Linux user namespaces to run containers with no
privileged operations or daemons and minimal configuration changes on
center resources. This simple approach avoids most security risks
while maintaining access to the performance and functionality already
on offer.
Container images can be built using Docker or anything else that can
generate a standard Linux filesystem tree.
-Josip
On 5/23/19 7:06 AM, Gerald Henriksen wrote:
On Thu, 23 May 2019 12:35:13 +0000, you wrote:
Thanks for the great explanation and clarification. Another question that stems
from the below what mechanisms exist in terms of security for the containers to
be as secure as a VM?
I know there have been security concerns about Docker (what most
people think of when they talk about containers these days), though I
am not sure what exactly they are.
They obviously won't be as a secure as a VM as they are sharing the
underlying kernel and perhaps a few system libraries, so if a
different container somehow finds a way to compromise the kernel
(maybe not so theoritical in the current Intel era) then there will be
the possiblity of at least getting at any system calls any other
containers make to the kernel.
And at least Docker containers also have the issue that they typically
don't have permanent storage so you need to move any data you want to
keep out of the container prior to killing the container.
Despite that they have a lot of advantages, and for example Fedora has
a project to create a new version of their Gnome Desktop edition using
containers instead of traditional rpm packages called Silverblue, and
this is partly due to the containers additional security over a
traditionally installed application (for example, the ability to
restrict access to the underlying filesystem).
_______________________________________________
Beowulf mailing list, Beowulf@beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) visit
https://beowulf.org/cgi-bin/mailman/listinfo/beowulf
--
Dr. Josip Loncaric, LANL, MS-T001, P.O. Box 1663, Los Alamos, NM 87545
mailto:jo...@lanl.gov Cell: +1-505-412-8490 Phone: +1-505-412-6538
--
E Pluribus Unum
_______________________________________________
Beowulf mailing list, Beowulf@beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) visit
https://beowulf.org/cgi-bin/mailman/listinfo/beowulf
