HPC centers face increasing demand for software flexibility, and there is growing consensus that Linux containers are a promising solution. However, existing container build solutions require root privileges and cannot be used directly on HPC resources. This limitation is compounded as supercomputer diversity expands and HPC architectures become more dissimilar from commodity computing resources. Our analysis suggests this problem can best be solved with low-privilege containers. We detail relevant Linux kernel features, propose a new taxonomy of container privilege, and compare two open-source implementations: mostly-unprivileged rootless Podman and fully-unprivileged Charliecloud. We demonstrate that low-privilege container build on HPC resources works now and will continue to improve, giving normal users a better workflow to securely and correctly build containers. Minimizing privilege in this way can improve HPC user and developer productivity as well as reduce support workload for exascale applications.
翻译:HPC中心面临越来越多的软件灵活性需求,而且人们日益一致认为Linux集装箱是一个大有希望的解决办法。然而,现有的集装箱建设解决方案需要根特权,不能直接用于HPC资源。随着超级计算机多样性的扩大和HPC结构与商品计算资源更加不同,这一限制变得更为复杂。 我们的分析表明,这个问题最好用低特权集装箱来解决。 我们详细介绍了Linux内核的相关特征,提出了新的集装箱特权分类,并比较了两种开放源的实施:大多为无特权的根无基Podman和完全无特权的Charliecloud。 我们证明,低特权集装箱现在依靠HPC资源运作并将继续改进,为正常用户提供安全和正确建造集装箱提供更好的工作流程。 以这种方式尽量减少特权可以提高HPC的用户和开发生产率,并减少外部应用的支持工作量。