Linux containers and Docker have gained immense popularity as a lightweight alternative to hypervisor based Virtual Machines (VMs). In the context of High Performance Computing and the scientific community, it is clear that containers can serve many useful purposes from system administration, to improved cluster resource management and as a format for sharing reproducible research. However, when compared to VMs, containers seem to trade isolation for performance and ease of use, which poses unique security challenges. In this paper we review how Docker is being used in science, highlight easy to perform exploits, and evaluate the impact of these on HPC deployments. We also summarise a number of strategies for hardening such a system to reduce the vulnerability of hosting User Defined Containers. Based on these, an original solution to enforce default options and container ownership for nonadministrative users in the HPC use case is presented, in addition to the experience of implementing such a system on a cluster at the University of Huddersfield.
[1]
Ramakrishnan Rajamony,et al.
An updated performance comparison of virtual machines and Linux containers
,
2015,
2015 IEEE International Symposium on Performance Analysis of Systems and Software (ISPASS).
[2]
Chamberlain Ryan,et al.
Using Docker to Support Reproducible Research
,
2014
.
[3]
Dirk Merkel,et al.
Docker: lightweight Linux containers for consistent development and deployment
,
2014
.
[4]
Daniel C. Stanzione,et al.
Dynamic Virtual Clustering
,
2007,
2007 IEEE International Conference on Cluster Computing.
[5]
D. Jacobsen,et al.
Contain This, Unleashing Docker for HPC
,
2015
.