Close

Presentation

Your registration category doesn't include this presentation upgrade
Minimizing Privilege for Building HPC Containers
SessionState of the Practice
DescriptionHPC centers face increasing demand for software flexibility, and there is growing consensus that Linux containers are a promising solution. However, existing container build solutions require root privileges and cannot be used directly on HPC resources. This limitation is compounded as supercomputer diversity expands and HPC architectures become more dissimilar from commodity computing resources. Our analysis suggests this problem can best be solved with low-privilege containers. We detail relevant Linux kernel features, propose a new taxonomy of container privilege, and compare two open-source implementations: mostly-unprivileged rootless Podman and fully-unprivileged Charliecloud. We demonstrate that low-privilege container build on HPC resources works now and will continue to improve, giving normal users a better workflow to securely and correctly build containers. Minimizing privilege in this way can improve HPC user and developer productivity as well as reduce support workload for exascale applications.
Event Type
Paper
TimeTue, 16 Nov4pm - 4:30pm CST
Location220-221
Tags
State of the Practice
Registration Categories
TP
Reproducibility Badges
Download PDF
Archive view
Next PresentationNext Presentation
Systematically Inferring I/O Performance Variability by Examining Repetitive Job Behavior
Authors
Reid Priedhorsky
Los Alamos National Laboratory
R. Shane Canon
National Energy Research Scientific Computing Center (NERSC)
Lawrence Berkeley National Laboratory (LBNL)
Timothy Randles
Los Alamos National Laboratory
Andrew J. Younge
Sandia National Laboratories