every IE or the underlying Docker container can be different and this
has implications about security.
Assuming that you every user are root inside Docker, and you can break
out of Docker, this is the attack surface.
To make it more clear, the IEs are as dangerous as Docker is, or the
Docker container. We are running IE's on a separate Node, inside of a
VM. So all containers are started in these VMs. If anyone can break out
of his/her IE, he is still in the VM and can not do much.
An other concern might be huge computational load, or huge files that
are created and spamming your network, harddiscs. IEs are currently not
scheduled through the Galaxy job scheduler, so they can consume what
ever resources they need. This can be changed by configuring the Docker
daemon accordingly. The Galaxy team has plans to schedule IEs and make
them even workflow aware afaik. Time will tell, contributions welcome! :)
Hope this helps,
Am 03.01.2017 um 13:33 schrieb Tamir,Ido:
> what are the security implications of GIE?
> I saw the overview on the GIE page,
> but its not clear to me how dangerous they are.
> "They have complex interactions with numerous services, you’ll need to be a
> fairly competent SysAdmin to debug all of the possible problems that can
> occur during deployment”
> Is it possible to describe what the docker container has access to
> and what could possibly go wrong?
> thank you very much,
> Please keep all replies on the list by using "reply all"
> in your mail client. To manage your subscriptions to this
> and other Galaxy lists, please use the interface at:
> To search Galaxy mailing lists use the unified search at:
Please keep all replies on the list by using "reply all"
in your mail client. To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
To search Galaxy mailing lists use the unified search at: