[Beowulf] Containers in HPC

Loncaric, Josip josip at lanl.gov
Thu May 23 07:13:12 PDT 2019 

"Charliecloud" is a more secure approach to containers in HPC:

https://phys.org/news/2017-06-charliecloud-big-supercomputing.html
https://permalink.lanl.gov/object/tr?what=info:lanl-repo/lareport/LA-UR-16-22370
https://github.com/hpc/charliecloud

> Charliecloud uses Linux user namespaces to run containers with no 
> privileged operations or daemons and minimal configuration changes on 
> center resources. This simple approach avoids most security risks 
> while maintaining access to the performance and functionality already 
> on offer.
>
> Container images can be built using Docker or anything else that can 
> generate a standard Linux filesystem tree.
>


-Josip

On 5/23/19 7:06 AM, Gerald Henriksen wrote:
> On Thu, 23 May 2019 12:35:13 +0000, you wrote:
>
>> Thanks for the great explanation and clarification. Another question that stems from the below what mechanisms exist in terms of security for the containers to be as secure as a VM?
> I know there have been security concerns about Docker (what most
> people think of when they talk about containers these days), though I
> am not sure what exactly they are.
>
> They obviously won't be as a secure as a VM as they are sharing the
> underlying kernel and perhaps a few system libraries, so if a
> different container somehow finds a way to compromise the kernel
> (maybe not so theoritical in the current Intel era) then there will be
> the possiblity of at least getting at any system calls any other
> containers make to the kernel.
>
> And at least Docker containers also have the issue that they typically
> don't have permanent storage so you need to move any data you want to
> keep out of the container prior to killing the container.
>
> Despite that they have a lot of advantages, and for example Fedora has
> a project to create a new version of their Gnome Desktop edition using
> containers instead of traditional rpm packages called Silverblue, and
> this is partly due to the containers additional security over a
> traditionally installed application (for example, the ability to
> restrict access to the underlying filesystem).
>
>
>
> _______________________________________________
> Beowulf mailing list, Beowulf at beowulf.org sponsored by Penguin Computing
> To change your subscription (digest mode or unsubscribe) visit https://beowulf.org/cgi-bin/mailman/listinfo/beowulf


-- 
Dr. Josip Loncaric, LANL, MS-T001, P.O. Box 1663, Los Alamos, NM 87545
mailto:josip at lanl.gov   Cell: +1-505-412-8490   Phone: +1-505-412-6538
--
E Pluribus Unum

More information about the Beowulf mailing list