Mailing List ArchivesAuthenticated access |
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesAuthenticated access |
|
|
Hi,
One of my main concern with Docker is that either the sysadmin have to set up all the containers in advance (which would be a mess for a big number of users), or if the users are allowed to set up their own containers, that's a pretty big security concern (the users get *real* root within the containers, and if the can control the mount points it's trivially easy to mess with the system). For me that's a showstopper at the moment, until they integrate uid namespaces. However, I've recently come across a different container system "vagga" [1,2] which I think it's much more suited to be used with HTCondor (in fact, it doesn't require any modification in HTCondor's code, since all the jobs are run as the user). I know it's not as mature, and it's lacking certain features (namely, no network isolation, and only one predefined mountpoint within the container: the current working folder). However I think that the network issue is not so important for the usual HTCondor job (where most users just want a controlled / special running environment, libraries and such), and the mountpoints can anyway be managed in some other way. For me, the main two points for this system are: * The lifecycle of the container is that of the command. So, you just "vagga foo", and the container is created and destroyed along with the process, so you needn't do any container managment. * I've already said it, haven't I? No root involvement at all, everything is run as the user, and permissions / acls / cgroups are fully enforced. Best, Joan [1]: http://vagga.readthedocs.org/en/latest/ [2]: https://github.com/tailhook/vagga El 06/12/14 a las 02:03, Todd Tannenbaum escribió: On 12/5/2014 6:27 PM, Luke Winslow wrote: |