Mailing List ArchivesAuthenticated access |
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesAuthenticated access |
|
|
Gergely ,
If condor does not run Docker containers as 'root' by default, it's likely because this is a better default security posture. Even when using Docker, running as 'root' leaves you more open to security vulnerabilities. For example, this is the most recent one that allowed you to break out of the container to the host system [1].
Maybe you can force condor to allow you to run the container as root, but I don't know. I'm sure the condor team can comment here.
Marty
[1]
From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Gergely Debreczeni via HTCondor-users <htcondor-users@xxxxxxxxxxx>
Sent: Thursday, June 13, 2019 2:14:27 PM To: HTCondor-Users Mail List Cc: Gergely Debreczeni Subject: Re: [HTCondor-users] sudo / package installation inside a docker container inside a user job Thanks, that is indeed a good advice! I’ll check and see whether it has any limitations for our use case.... But if I understood correctly “becoming root” inside a docker container should not harm the host OS in any manner... so why it is disabled in Condor ? Is there some security flaw there ?
Thanks, Gergely
From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx>
On Behalf Of Kandes, Martin
Gergely,
Dimitri does have a good point. But I understand your problem. I help maintain the Singularity containers we build for our users [1].
One possibility you might consider is using miniconda [2] to install additional packages in userspace, if the user's HOME directory or some scratch space available to the job is large enough to handle installations of packages like TensorFlow. I actually install miniconda by default in our base containers for this purpose myself. e.g., see [3] [4].
I know this isn't a Docker-native solution. But that's how I might do it with Singularity.
Marty
[1]
https://github.com/mkandes/naked-singularity
[2]
https://docs.conda.io/en/latest/miniconda.html
[3]
https://github.com/mkandes/naked-singularity/blob/master/definition-files/comet/ubuntu/ubuntu.def
[4]
From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Dimitri Maziuk via HTCondor-users <htcondor-users@xxxxxxxxxxx>
On 6/13/19 3:07 PM, Gergely Debreczeni via HTCondor-users wrote: This e-mail and any files transmitted with it contain confidential and may contain privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized use, copying, disclosure or distribution of the material in this e-mail is strictly forbidden. |