We gratefully acknowledge support from
the Simons Foundation and member institutions.
Full-text links:

Download:

Current browse context:

cs.DC

Change to browse by:

cs

References & Citations

DBLP - CS Bibliography

Bookmark

(what is this?)
CiteULike logo BibSonomy logo Mendeley logo del.icio.us logo Digg logo Reddit logo ScienceWISE logo

Computer Science > Distributed, Parallel, and Cluster Computing

Title: Minimizing privilege for building HPC containers

Authors: Reid Priedhorsky (1), R. Shane Canon (2 and 3), Timothy Randles (1), Andrew J. Younge (4) ((1) High Performance Computing Division, Los Alamos National Laboratory, (2) National Energy Research Scientific Computing Center, (3) Lawrence Berkeley National Laboratory, (4) Center for Computing Research, Sandia National Laboratories)
Abstract: HPC centers face increasing demand for software flexibility, and there is growing consensus that Linux containers are a promising solution. However, existing container build solutions require root privileges and cannot be used directly on HPC resources. This limitation is compounded as supercomputer diversity expands and HPC architectures become more dissimilar from commodity computing resources. Our analysis suggests this problem can best be solved with low-privilege containers. We detail relevant Linux kernel features, propose a new taxonomy of container privilege, and compare two open-source implementations: mostly-unprivileged rootless Podman and fully-unprivileged Charliecloud. We demonstrate that low-privilege container build on HPC resources works now and will continue to improve, giving normal users a better workflow to securely and correctly build containers. Minimizing privilege in this way can improve HPC user and developer productivity as well as reduce support workload for exascale applications.
Comments: 12 pages, 11 figures. Revision 2: clarifications, corrections of some minor errors; revision 3: further clarifications and corrections
Subjects: Distributed, Parallel, and Cluster Computing (cs.DC)
Journal reference: Proc. Supercomputing 2021, pp. 1-14
DOI: 10.1145/3458817.3476187
Report number: LA-UR 21-23314; SAND2021-4332 O
Cite as: arXiv:2104.07508 [cs.DC]
  (or arXiv:2104.07508v3 [cs.DC] for this version)

Submission history

From: Reid Priedhorsky [view email]
[v1] Thu, 15 Apr 2021 15:05:50 GMT (188kb,D)
[v2] Tue, 8 Jun 2021 21:46:15 GMT (190kb,D)
[v3] Mon, 16 Aug 2021 20:58:23 GMT (189kb,D)

Link back to: arXiv, form interface, contact.