Conference Paper

Securing user defined containers for scientific computing

To read the full-text of this research, you can request a copy directly from the authors.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Higgins et al. [32] developed a Docker API proxy that acts as an intermediary between the Docker clients and the actual Docker daemon. To enforce security rules, it manipulates the content of client requests and of the responses to the caller. ...
... As we have seen, several works tried to solve the problem imposed by privileged container execution. Some of them, by modifying Docker or implementing extra measures to make it more secure [4,32,81]. A few others, by proposing novel container technologies to allow the unprivileged execution of containers [9,26,91]. ...
Full-text available
OS-level virtualization (containers) has become a popular alternative to hypervisor-based virtualization. From a system-administration point-of-view, containers enable support for user-defined software stacks, thus freeing users of restrictions imposed by the host’s pre-configured software environment. In high performance computing (HPC), containers inspire special interest due to their potentially low overheads on performance. Moreover, they also bring benefits in portability and scientific reproducibility. Despite the potential advantages, the adoption of containers in HPC has been relatively slow, mainly due to specific requirements of the field. These requirements gave rise to various HPC-focused container implementations. Besides unprivileged container execution, they offer different degrees of automation of system-specific optimizations, which are necessary for optimal performance. When we looked into the scientific literature on containers applied to HPC, we were unable to find an up-to-date overview of the state-of-the-art. For this reason, we developed this extensive survey, including 93 carefully selected works. Overall, based on our survey, we argue that issues related to performance overhead are mostly solved. There is, however, a clear trade-off between performance and portability, since optimal performance often depends on host-specific optimizations. A few works propose solutions to mitigate this issue, but there is still room for improvement. Besides, we found surprisingly few works that deal with portability between dedicated HPC systems and public cloud platforms.
... For the purpose of this work, we concentrated on the scientific computing area, where users often express the wish to independently deploy containerized applications (bring your own environment / user-supplied images). Such scenarios raise demand for additional security mechanisms [3]. In this domain traditional attacks do not necessarily play an important role, a typical problem however is the risk of misuse of resources, for example by using HPC systems to mine crypto currencies [4]. ...
Docker promises the ability to package applications and their dependencies into lightweight containers that move easily between different distros, start up quickly and are isolated from each other.
Conference Paper
Multiple clusters co-existing in a single research campus has become commonplace at many university and government labs, but effectively leveraging those resources is difficult. Intelligently forwarding and spanning jobs across clusters can increase throughput, decrease turnaround time, and improve overall utilization. Dynamic Virtual Clustering (DVC) is a system of virtual machines, deployed in a single or multi-cluster environment, to increase cluster utilization by enabling job forwarding and spanning, flexibly allow software environment changes, and effectively sandbox users and processes from each other and the system. This paper presents both the initial implementation of DVC and performance results from synthetic workloads executed under DVC.
ISC High Performance
  • J Higgins
  • V Holmes
  • C Venters
J. Higgins, V. Holmes, and C. Venters, High Performance Computing: 30th International Conference, ISC High Performance 2015, Frankfurt, Germany, July 12-16, 2015, Proceedings. Springer International Publishing, 2015, ch. Orchestrating Docker Containers in the HPC Environment, pp. 506–513.
Namespaces in operation, part 5: User namespaces
  • M Kerrisk
M. Kerrisk. (2014) Namespaces in operation, part 5: User namespaces. [Online]. Available:
Contain this, unleashing docker for hpc
  • D M Jacobsen
  • R S Canon
D. M. Jacobsen and R. S. Canon, "Contain this, unleashing docker for hpc."
Using docker to support reproducible research
  • R Chamberlain
  • L Invenshure
  • J Schommer
R. Chamberlain, L. Invenshure, and J. Schommer, "Using docker to support reproducible research," 2014. [Online]. Available: http: //