[Beowulf] HPC workflows

Michael Di Domenico mdidomenico4 at gmail.com
Fri Dec 7 08:45:59 PST 2018


On Fri, Dec 7, 2018 at 11:35 AM John Hanks <griznog at gmail.com> wrote:
>
>  But, putting it in a container wouldn't make my life any easier and would, in fact, just add yet another layer of something to keep up to date.

i think the theory behind this is the containers allow the sysadmins
to kick the can down the road and put the onus of updates on the
container developer.  but then you get into a circle of trust issue,
whereby now you have to trust the container developers are doing
something sane and in a timely manner.

a perfect example that we pitched up to our security team was (this
was few year ago mind you); what happens when someone embeds openssl
libraries in the container.  who's responsible for updating them?
what happens when that container gets abandoned by the dev?  and those
containers are running with some sort of docker/root privilege
menagire.  this was back when openssl had bugs coming up left and
right.  yeah, that conversation stopped dead in its tracks and we put
a moratorium on docker.

but i don't think the theory lines up with the practice, and that's
why dev's shouldn't be doing ops


More information about the Beowulf mailing list