Reid Priedhorsky
ABSTRACT
Supercomputing centers are seeing increasing demand for user-defined software stacks (UDSS), instead of or in addition to the stack provided by the center. These UDSS support user needs such as complex dependencies or build requirements, externally required configurations, portability, and consistency. The challenge for centers is to provide these services in a usable manner while minimizing the risks: security, support burden, missing functionality, and performance. We present Charliecloud, which uses the Linux user and mount namespaces to run industry-standard Docker containers with no privileged operations or daemons on center resources. Our simple approach avoids most security risks while maintaining access to the performance and functionality already on offer, doing so in just 800 lines of code. Charliecloud promises to bring an industry-standard UDSS user workflow to existing, minimally altered HPC resources.
- Amazon Web Services, Inc. 2015. An introduction to high performance computing on AWS. White paper. Amazon Web Services, Inc. https://d0.awsstatic.com/whitepapers/Intro_to_HPC_on_AWS.pdfGoogle Scholar
- Evan Andersen. 2016. How Nvidia breaks Chrome incognito. (Jan. 2016). https://charliehorse55.wordpress.com/2016/01/09/how-nvidia-breaks-chrome-incognito/Google Scholar
- Diego Calleja. 2013. Linux 3.8. (April 2013). http://kernelnewbies.org/Linux_3.8Google Scholar
- Hao Chen, David Wagner, and Drew Dean. 2002. Setuid Demystified. In USENIX Security Symposium. http://crypto.stanford.edu/cs155/papers/setuid-usenix02.pdf Google ScholarDigital Library
- CoreOS Inc. 2017. rkt 1.25.0 documentation. (2017). https://coreos.com/rkt/docs/1.25.0/Google Scholar
- Docker, Inc. 2016. Dockerfile reference. Documentation. Docker, Inc. https://docs.docker.com/engine/reference/builder/Google Scholar
- Docker Inc. 2017. Docker Docs. Documentation. Docker, Inc. https://docs.docker.comGoogle Scholar
- John L. Furlani and Peter W. Osel. 1996. Abstract yourself with modules. In USENIX System Administration Conference. http://modules.sourceforge.net/docs/absmod.pdf Google ScholarDigital Library
- Tyler Hicks. 2017. CVE-2017-7184: kernel: Local privilege escalation in XFRM framework. (March 2017). http://seclists.org/oss-sec/2017/q1/689Google Scholar
- Solomon Hykes. 2015. Introducing runC: A lightweight universal container runtime. (June 2015). https://blog.docker.com/2015/06/runcGoogle Scholar
- Intel Corporation 2016. Intel® MPI benchmarks: User guide and methodology description. Documentation. Intel Corporation. https://software.intel.com/sites/default/files/managed/66/e8/IMB_Users_Guide.pdfGoogle Scholar
- Keith R. Jackson, Lavanya Ramakrishnan, Krishna Muriki, Shane Canon, Shreyas Cholia, John Shalf, Harvey J. Wasserman, and Nicholas J. Wright. 2010. Performance analysis of high performance computing applications on the Amazon Web Services cloud. In IEEE CloudCom. Google ScholarDigital Library
- Doug Jacobsen and Shane Canon. 2015. Contain this, unleashing Docker for HPC. (May 2015). http://www.nersc.gov/assets/Uploads/nersc-brownbag-docker-jacobsen-canon.pdfGoogle Scholar
- Douglas M. Jacobsen and Richard Shane Canon. 2015. Contain this, unleashing Docker for HPC. In Cray User Group. http://www.nersc.gov/assets/Uploads/cug2015udi.pdfGoogle Scholar
- Venkateswararao Jujjuri, Eric Van Hensbergen, Anthony Liguori, and Badari Pulavarty. 2010. VirtFS---a virtualization aware file system pass-through. In Ottawa Linux Symposium (OLS). https://www.kernel.org/doc/ols/2010/ols2010-pages-109-120.pdfGoogle Scholar
- Michael Kerrisk. 2013. Namespaces in operation, part 1: Namespaces overview. Linux Weekly News (Jan. 2013). https://lwn.net/Articles/531114/Google Scholar
- Michael Kerrisk. 2013. Namespaces in operation, part 5: User namespaces. Linux Weekly News (Feb. 2013). https://lwn.net/Articles/532593/Google Scholar
- Michael Kerrisk et al. 2015. pid_namespaces(7). Man page. http://man7.org/linux/man-pages/man7/pid_namespaces.7.htmlGoogle Scholar
- Michael Kerrisk et al. 2016. chroot(2). Man page. http://man7.org/linux/man-pages/man2/chroot.2.htmlGoogle Scholar
- Michael Kerrisk et al. 2016. clone(2). Man page. http://man7.org/linux/man-pages/man2/clone.2.htmlGoogle Scholar
- Michael Kerrisk et al. 2016. namespaces(7). Man page. http://man7.org/linux/man-pages/man7/namespaces.7.htmlGoogle Scholar
- Michael Kerrisk et al. 2016. setns(2). Man page. http://man7.org/linux/man-pages/man2/setns.2.htmlGoogle Scholar
- Michael Kerrisk et al. 2016. unshare(2). Man page. http://man7.org/linux/man-pages/man2/unshare.2.htmlGoogle Scholar
- Michael Kerrisk et al. 2016. user_namespaces(7). Man page. http://man7.org/linux/man-pages/man7/user_namespaces.7.htmlGoogle Scholar
- Gregory M. Kurtzer. 2016. Singularity. (July 2016). http://singularity.lbl.gov/Google Scholar
- Ning Liu, Jason Cope, Philip Carns, Christopher Carothers, Robert Ross, Gary Grider, Adam Crume, and Carlos Maltzahn. 2012. On the role of burst buffers in leadership-class storage systems. In Mass Storage Systems and Technologies (MSST).Google Scholar
- Scott Lowe. 2009. What is SR-IOV? (Dec. 2009). http://blog.scottlowe.org/2009/12/02/what-is-sr-iov/Google Scholar
- Doug McIlroy, E. N. Pinson, and B. A. Tague. 1978. UNIX time-sharing system: Foreword. Bell System Technical Journal 67, 6 (1978).Google Scholar
- Open Container Initiative 2016. About. Mission statement. Open Container Initiative. https://www.opencontainers.org/aboutGoogle Scholar
- Larry Pezzaglia. 2012. CHOS in production. (April 2012). https://www.nersc.gov/assets/pubs_presos/chos.pdfGoogle Scholar
- Red Hat Inc. 2016. CVE-2016-10208. (Nov. 2016). https://access.redhat.com/security/cve/cve-2016-10208Google Scholar
- Reventlov. 2015. Using the docker command to root the host (totally not a security issue). (April 2015). http://reventlov.com/advisories/using-the-docker-command-to-root-the-hostGoogle Scholar
- Rami Rosen. 2016. Namespaces and cgroups, the basis of Linux containers. (Feb. 2016). http://www.netdevconf.org/1.1/proceedings/slides/rosen-namespaces-cgroups-lxc.pdfGoogle Scholar
- Cristian Ruiz, Emmanuel Jeanvoine, and Lucas Nussbaum. 2015. Performance evaluation of containers for HPC. In Euro-Par 2015: Parallel Processing Workshops.Google Scholar
- Jerome H. Saltzer. 1974. Protection and the control of information sharing in Multics. CACM 17, 7 (July 1974). Google ScholarDigital Library
- Simes. 2002. How to break out of a chroot() jail. (May 2002). https://web.archive.org/web/20160209154009/http://www.bpfh.net/simes/computing/chroot-break.htmlGoogle Scholar
- Robert Swiecki. 2016. NsJail. (Dec. 2016). https://google.github.io/nsjail/Google Scholar
- systemd contributors. 2017. systemd-nspawn. Man page. https://www.freedesktop.org/software/systemd/man/systemd-nspawn.htmlGoogle Scholar
- Wikipedia editors. 2016. Virtualization. (Feb. 2016). https://en.wikipedia.org/w/index.php?title=Virtualization&oldid=704408822Google Scholar
- Miguel G. Xavier, Marcelo V. Neves, Fabio D. Rossi, Tiago C. Ferreto, Timoteo Lange, and Cesar A. F. De Rose. 2013. Performance evaluation of container-based virtualization for high performance computing environments. In Euromicro Parallel, Distributed, and Network-Based Processing. Google ScholarDigital Library
Index Terms
- Charliecloud: unprivileged containers for user-defined software stacks in HPC
Recommendations
New Directions for Container Debloating
FEAST '17: Proceedings of the 2017 Workshop on Forming an Ecosystem Around Software TransformationApplication containers, such as Docker containers, are light-weight virtualization environments that "contain" applications together with their resources and configuration information. While they are becoming increasingly popular as a method for agile ...
Integrating Containers into Workflows: A Case Study Using Makeflow, Work Queue, and Docker
VTDC '15: Proceedings of the 8th International Workshop on Virtualization Technologies in Distributed ComputingWorkflows are a widely used abstraction for representing large scientific applications and executing them on distributed systems such as clusters, clouds, and grids. However, workflow systems have been largely silent on the question of precisely what ...
Traditional High-Performance Computing with Container Technology (THPC): HPC using Container Technology, EasyBuild, Spack, and IBM LSF scheduler
PEARC '23: Practice and Experience in Advanced Research ComputingHigh-performance Computing (HPC) has been around for decades but maintaining software for HPC with heterogeneous compute nodes remains a challenging task for system administrators. Many software package frameworks have been developed over the years to ...
Comments