Mailing List ArchivesAuthenticated access |
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesAuthenticated access |
|
On 7/11/2014 6:23 PM, Martin BukatoviÄ wrote:
On 07/10/2014 10:47 PM, Greg Thain wrote:On 07/10/2014 03:39 PM, Branden Timm wrote:That's great, I hadn't noticed the existing cgroup support in the documentation.Moreover there is also support for further filesystem isolation via bind mounts: http://osgtech.blogspot.cz/2012/02/file-isolation-using-bind-mounts-and.html
Similar to Docker, HTCondor already leverages a lot of Linux kernel features to provide job isolation on a machine - cgroups (limit ram, cpu), pid namespaces, cpu affinity, bind mounts (useful for giving each job its own /tmp that is cleaned up on job exit), chroot jails, ... a pithy overview of capabilities in this area are in the slides from this presentation at HTCondor Week 2013:
http://research.cs.wisc.edu/htcondor/HTCondorWeek2013/presentations/ThainG_BoxingUsers.pdfIn v8.3.x, we are adding network namespace isolation. And also looking at ways to make it easy for folks using Docker (i.e. a Docker job universe perhaps).
regards, Todd