12

I want to use Docker for isolating scientific applications for the use in a HPC Unix cluster. Scientific software often has exotic dependencies so isolating them with Docker appears to be a good idea. The programs are to be run as jobs and not as services.

I want to have multiple users use Docker and the users should be isolated from each other. Is this possible?

I performed a local Docker installation and had two users in the docker group. The call to docker images showed the same results for both users.

Further, the jobs should be run under the calling users's UID and not as root.

Is such a setup feasible? Has it been done before? Is this documented anywhere?

Luca Gibelli
  • 961
  • 12
  • 19
Manuel
  • 6,461
  • 7
  • 40
  • 54
  • 1
    Intersiting idea, but with only docker I can't see a solution. Have you looked up management tools like http://shipyard-project.com/. Possible you can change there usermangement to make it usable for you. – Rene M. Apr 27 '15 at 11:38
  • Supercomputing clusters often use MPI for distributing the processing load, so I think any containers would have be able to access the MPI socket. Singularity, mentioned below, looks promising. – Codebling Sep 20 '20 at 00:45

5 Answers5

6

Yes there is! It's called Singularity and it was designed with scientific applications and multi user HPCs. More at http://singularity.lbl.gov/

Chris Gorgolewski
  • 601
  • 5
  • 13
6

OK, I think there will be more and more solutions pop up for this. I'll try to update the following list in the future:

  • udocker for executing Docker containers as users
  • Singularity (Kudos to Filo) is another Linux container based solution
Manuel
  • 6,461
  • 7
  • 40
  • 54
4

Don't forget about DinD (Docker in Docker): jpetazzo/dind

You could dedicate one Docker per user, and within one of those docker containers, the user could launch a job in a docker container.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Be aware that a dind container needs to run with --privileged flag, so it will probably be trivial for an attacker to break isolation (e.g. by mounting devices). – Adrian Mouat Apr 27 '15 at 15:41
1

I'm also interested in this possibility with Docker, for similar reasons. There are a few of problems I can think of:

  1. The Docker Daemon runs as root, providing anyone in the docker group with effective host root permissions (e.g. leak permissions by mounting host / dir as root).
  2. Multi user Isolation as mentioned
  3. Not sure how well this will play with any existing load balancers?

I came across Shifter which may be worth a look an partly solves #1: http://www.nersc.gov/research-and-development/user-defined-images/

Also I know there is discussion to use kernel user namespaces to provide mapping container:root --> host:non-privileged user but I'm not sure if this is happening or not.

Amos Folarin
  • 2,059
  • 20
  • 18
  • Seems like user namespaces were dropped from Docker 1.7. Looks like they introduced a security issue due to the introduction of libnetwork, hoping they will land in v1.8 – Amos Folarin Jun 25 '15 at 14:59
1

There is an officially supported Docker image that allows one to run Docker in Docker (dind), available here: https://hub.docker.com/_/docker/. This way, each user can have their own Docker daemon. First, start the daemon instance:

docker run --privileged --name some-docker -d docker:stable-dins

Note that the --privileged flag is required. Next, connect to that instance from a second container:

docker run --rm --link some-docker:docker docker:edge version
Demitri
  • 13,134
  • 4
  • 40
  • 41