* Steffen Möller: > The HPC community does not want to need root privileges to get their > software installed/used on the HPC setup. This excludes regular > Debian packages, traditional containers like Docker and chroot > environments.
So they would rather give the user full file system access on an unprotected host, with a shared /tmp and /proc, limited control over resource utilization, at least a few SUID programs, and the ability to become root once you have obtained the password from someone? Under the alternative model, users do not get any access whatsoever to the actual host, are always confined to containers, and do not have root rights in the container, either. True, the container setup requires elevated privileges, but this is tightly controlled by the container management engine. It's not something the user would run after logging into the host over SSH. For shared computing resources, the container model seems vastly superior to user-based separation. I'd be concerned about the overhead, but I really don't understand the objection that this requires root privileges when those privileges can be tightly controlled. (I'm not saying that Docker, OpenShift & Co. are suitable for HPC environments. They probably are not, but Linux namespaces & cgroups seem quite appropriate for such environments.)