HPC centers face increasing demand for software flexibility, and there is growing consensus that Linux containers are a promising solution. However, existing container build solutions require root privileges and cannot be built directly on HPC resources. This limitation is compounded as supercomputer diversity expands and HPC architectures become more dissimilar from commodity computing resources. Our evaluation of available options suggests this problem can best be solved with low-privilege containers. We detail Linux kernel features for varying container privilege and compare two open-source implementations, mostly-unprivileged rootless Podman and fully-unprivileged Charliecloud. Our analysis demonstrates that low-privilege container build on HPC resources works now and will continue to improve, giving normal users a better workflow to securely and correctly build containers. Minimizing privilege in this way can improve HPC user and developer productivity as well as reduce support workload for exascale applications.
翻译:HPC中心面临越来越多的软件灵活性需求,而且人们日益一致认为Linux集装箱是一个大有希望的解决办法。然而,现有的集装箱建设解决方案需要根特权,不能直接依靠HPC资源。随着超级计算机多样性的扩大和HPC结构与商品计算资源更加不同,这一限制变得更加复杂。我们对可用选项的评估表明,这个问题最好用低特权集装箱来解决。我们详细介绍Linux内核特性,以获得不同的集装箱特权,比较两种开放源实施方式,其中多数是没有特权的无根Podman和完全没有特权的Charliecloud。我们的分析表明,低特权集装箱在HPC资源的基础上正在发挥作用,并将继续改进,为正常用户提供安全和正确建造集装箱提供更好的工作流程。 尽可能降低这种方式的特权可以提高HPC用户和开发商的生产率,并减少外部应用的支持工作量。