While not technically containers in the purest sense, Kata Containers <https://katacontainers.io/> also have the goal of producing a more secure containerization technology along with the advantage of major industry backing (Intel, Google, MS, AWS, etc).
On Thu, May 23, 2019 at 10:13 AM Loncaric, Josip via Beowulf < beowulf@beowulf.org> wrote: > "Charliecloud" is a more secure approach to containers in HPC: > > https://phys.org/news/2017-06-charliecloud-big-supercomputing.html > > https://permalink.lanl.gov/object/tr?what=info:lanl-repo/lareport/LA-UR-16-22370 > https://github.com/hpc/charliecloud > > > Charliecloud uses Linux user namespaces to run containers with no > > privileged operations or daemons and minimal configuration changes on > > center resources. This simple approach avoids most security risks > > while maintaining access to the performance and functionality already > > on offer. > > > > Container images can be built using Docker or anything else that can > > generate a standard Linux filesystem tree. > > > > > -Josip > > On 5/23/19 7:06 AM, Gerald Henriksen wrote: > > On Thu, 23 May 2019 12:35:13 +0000, you wrote: > > > >> Thanks for the great explanation and clarification. Another question > that stems from the below what mechanisms exist in terms of security for > the containers to be as secure as a VM? > > I know there have been security concerns about Docker (what most > > people think of when they talk about containers these days), though I > > am not sure what exactly they are. > > > > They obviously won't be as a secure as a VM as they are sharing the > > underlying kernel and perhaps a few system libraries, so if a > > different container somehow finds a way to compromise the kernel > > (maybe not so theoritical in the current Intel era) then there will be > > the possiblity of at least getting at any system calls any other > > containers make to the kernel. > > > > And at least Docker containers also have the issue that they typically > > don't have permanent storage so you need to move any data you want to > > keep out of the container prior to killing the container. > > > > Despite that they have a lot of advantages, and for example Fedora has > > a project to create a new version of their Gnome Desktop edition using > > containers instead of traditional rpm packages called Silverblue, and > > this is partly due to the containers additional security over a > > traditionally installed application (for example, the ability to > > restrict access to the underlying filesystem). > > > > > > > > _______________________________________________ > > Beowulf mailing list, Beowulf@beowulf.org sponsored by Penguin Computing > > To change your subscription (digest mode or unsubscribe) visit > https://beowulf.org/cgi-bin/mailman/listinfo/beowulf > > > -- > Dr. Josip Loncaric, LANL, MS-T001, P.O. Box 1663, Los Alamos, NM 87545 > mailto:jo...@lanl.gov Cell: +1-505-412-8490 Phone: +1-505-412-6538 > -- > E Pluribus Unum > > _______________________________________________ > Beowulf mailing list, Beowulf@beowulf.org sponsored by Penguin Computing > To change your subscription (digest mode or unsubscribe) visit > https://beowulf.org/cgi-bin/mailman/listinfo/beowulf >
_______________________________________________ Beowulf mailing list, Beowulf@beowulf.org sponsored by Penguin Computing To change your subscription (digest mode or unsubscribe) visit https://beowulf.org/cgi-bin/mailman/listinfo/beowulf
