On Sunday, 31 May 2015, at 17:27:44 (-0700), Christopher Samuel wrote: > Sorry for being absent for a while after starting this thread, pressures > of work. > > Michael hit the nail on the head for me there. > > The security side of things is an issue, though I'm not sure how much > the fact that the program is running in a separate UID namespace helps, > presumably if you've got to give it HPC filesystem access then the > answer is probably "not at all". > > One of my concerns has always been that as these images age without > updates then their exposure to known security bugs increases. > > That seems to be born out by this recent survey: > > http://www.banyanops.com/blog/analyzing-docker-hub/ > > # Over 30% of Official Images in Docker Hub Contain High Priority > # Security Vulnerabilities > # > # [...] Surprisingly, we found that more than 30% of images in > # official repositories are highly susceptible to a variety of > # security attacks (e.g., Shellshock, Heartbleed, Poodle, etc.). > # For general images ??? images pushed by docker users, but not > # explicitly verified by any authority ??? this number jumps up > # to ~40% with a sampling error bound of 3%. [...] > > If anything that puts me off liking them even more. :-(
One option we've considered is insisting that users provide us with their Dockerfiles which we would then audit, build, and manage ourselves. Then users would be allowed to run only in containers based on curated images. Could potentially make for a management nightmare, but solves a lot of security considerations by sheer avoidance. My team had a very (!!) productive and interesting discussion yesterday with some folks who have succeeded in integrating Docker and SLURM to the point that users can specify Docker repositories in which they want SLURM to run their jobs, and SLURM will do so. I'm not sure how much I'm at liberty to say at this point, but my understanding is that they have submitted an abstract for SUG15. So stay tuned! :-) Michael -- Michael Jennings <[email protected]> Linux Systems and Cluster Engineer High-Performance Computing Services Lawrence Berkeley National Laboratory
