<div dir="ltr">While not technically containers in the purest sense, <a href="https://katacontainers.io/">Kata Containers</a> also have the goal of producing a more secure containerization technology along with the advantage of major industry backing (Intel, Google, MS, AWS, etc).</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, May 23, 2019 at 10:13 AM Loncaric, Josip via Beowulf <<a href="mailto:beowulf@beowulf.org">beowulf@beowulf.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">"Charliecloud" is a more secure approach to containers in HPC:<br>
<br>
<a href="https://phys.org/news/2017-06-charliecloud-big-supercomputing.html" rel="noreferrer" target="_blank">https://phys.org/news/2017-06-charliecloud-big-supercomputing.html</a><br>
<a href="https://permalink.lanl.gov/object/tr?what=info:lanl-repo/lareport/LA-UR-16-22370" rel="noreferrer" target="_blank">https://permalink.lanl.gov/object/tr?what=info:lanl-repo/lareport/LA-UR-16-22370</a><br>
<a href="https://github.com/hpc/charliecloud" rel="noreferrer" target="_blank">https://github.com/hpc/charliecloud</a><br>
<br>
> Charliecloud uses Linux user namespaces to run containers with no <br>
> privileged operations or daemons and minimal configuration changes on <br>
> center resources. This simple approach avoids most security risks <br>
> while maintaining access to the performance and functionality already <br>
> on offer.<br>
><br>
> Container images can be built using Docker or anything else that can <br>
> generate a standard Linux filesystem tree.<br>
><br>
<br>
<br>
-Josip<br>
<br>
On 5/23/19 7:06 AM, Gerald Henriksen wrote:<br>
> On Thu, 23 May 2019 12:35:13 +0000, you wrote:<br>
><br>
>> Thanks for the great explanation and clarification. Another question that stems from the below what mechanisms exist in terms of security for the containers to be as secure as a VM?<br>
> I know there have been security concerns about Docker (what most<br>
> people think of when they talk about containers these days), though I<br>
> am not sure what exactly they are.<br>
><br>
> They obviously won't be as a secure as a VM as they are sharing the<br>
> underlying kernel and perhaps a few system libraries, so if a<br>
> different container somehow finds a way to compromise the kernel<br>
> (maybe not so theoritical in the current Intel era) then there will be<br>
> the possiblity of at least getting at any system calls any other<br>
> containers make to the kernel.<br>
><br>
> And at least Docker containers also have the issue that they typically<br>
> don't have permanent storage so you need to move any data you want to<br>
> keep out of the container prior to killing the container.<br>
><br>
> Despite that they have a lot of advantages, and for example Fedora has<br>
> a project to create a new version of their Gnome Desktop edition using<br>
> containers instead of traditional rpm packages called Silverblue, and<br>
> this is partly due to the containers additional security over a<br>
> traditionally installed application (for example, the ability to<br>
> restrict access to the underlying filesystem).<br>
><br>
><br>
><br>
> _______________________________________________<br>
> Beowulf mailing list, <a href="mailto:Beowulf@beowulf.org" target="_blank">Beowulf@beowulf.org</a> sponsored by Penguin Computing<br>
> To change your subscription (digest mode or unsubscribe) visit <a href="https://beowulf.org/cgi-bin/mailman/listinfo/beowulf" rel="noreferrer" target="_blank">https://beowulf.org/cgi-bin/mailman/listinfo/beowulf</a><br>
<br>
<br>
-- <br>
Dr. Josip Loncaric, LANL, MS-T001, P.O. Box 1663, Los Alamos, NM 87545<br>
mailto:<a href="mailto:josip@lanl.gov" target="_blank">josip@lanl.gov</a> Cell: +1-505-412-8490 Phone: +1-505-412-6538<br>
--<br>
E Pluribus Unum<br>
<br>
_______________________________________________<br>
Beowulf mailing list, <a href="mailto:Beowulf@beowulf.org" target="_blank">Beowulf@beowulf.org</a> sponsored by Penguin Computing<br>
To change your subscription (digest mode or unsubscribe) visit <a href="https://beowulf.org/cgi-bin/mailman/listinfo/beowulf" rel="noreferrer" target="_blank">https://beowulf.org/cgi-bin/mailman/listinfo/beowulf</a><br>
</blockquote></div>