[Beowulf] Containers in HPC

pellman.john at gmail.com pellman.john at gmail.com
Thu May 23 08:17:38 PDT 2019 

While not technically containers in the purest sense, Kata Containers
<https://katacontainers.io/> also have the goal of producing a more secure
containerization technology along with the advantage of major industry
backing (Intel, Google, MS, AWS, etc).

On Thu, May 23, 2019 at 10:13 AM Loncaric, Josip via Beowulf <
beowulf at beowulf.org> wrote:

> "Charliecloud" is a more secure approach to containers in HPC:
>
> https://phys.org/news/2017-06-charliecloud-big-supercomputing.html
>
> https://permalink.lanl.gov/object/tr?what=info:lanl-repo/lareport/LA-UR-16-22370
> https://github.com/hpc/charliecloud
>
> > Charliecloud uses Linux user namespaces to run containers with no
> > privileged operations or daemons and minimal configuration changes on
> > center resources. This simple approach avoids most security risks
> > while maintaining access to the performance and functionality already
> > on offer.
> >
> > Container images can be built using Docker or anything else that can
> > generate a standard Linux filesystem tree.
> >
>
>
> -Josip
>
> On 5/23/19 7:06 AM, Gerald Henriksen wrote:
> > On Thu, 23 May 2019 12:35:13 +0000, you wrote:
> >
> >> Thanks for the great explanation and clarification. Another question
> that stems from the below what mechanisms exist in terms of security for
> the containers to be as secure as a VM?
> > I know there have been security concerns about Docker (what most
> > people think of when they talk about containers these days), though I
> > am not sure what exactly they are.
> >
> > They obviously won't be as a secure as a VM as they are sharing the
> > underlying kernel and perhaps a few system libraries, so if a
> > different container somehow finds a way to compromise the kernel
> > (maybe not so theoritical in the current Intel era) then there will be
> > the possiblity of at least getting at any system calls any other
> > containers make to the kernel.
> >
> > And at least Docker containers also have the issue that they typically
> > don't have permanent storage so you need to move any data you want to
> > keep out of the container prior to killing the container.
> >
> > Despite that they have a lot of advantages, and for example Fedora has
> > a project to create a new version of their Gnome Desktop edition using
> > containers instead of traditional rpm packages called Silverblue, and
> > this is partly due to the containers additional security over a
> > traditionally installed application (for example, the ability to
> > restrict access to the underlying filesystem).
> >
> >
> >
> > _______________________________________________
> > Beowulf mailing list, Beowulf at beowulf.org sponsored by Penguin Computing
> > To change your subscription (digest mode or unsubscribe) visit
> https://beowulf.org/cgi-bin/mailman/listinfo/beowulf
>
>
> --
> Dr. Josip Loncaric, LANL, MS-T001, P.O. Box 1663, Los Alamos, NM 87545
> mailto:josip at lanl.gov   Cell: +1-505-412-8490   Phone: +1-505-412-6538
> --
> E Pluribus Unum
>
> _______________________________________________
> Beowulf mailing list, Beowulf at beowulf.org sponsored by Penguin Computing
> To change your subscription (digest mode or unsubscribe) visit
> https://beowulf.org/cgi-bin/mailman/listinfo/beowulf
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://beowulf.org/pipermail/beowulf/attachments/20190523/b3e2f7b2/attachment.html>

More information about the Beowulf mailing list