You are here:

2.7 OS-level Virtualization (Container) Policies

  • Containers can only be run under user permissions
    • Launching containers as root, or using container solutions that have root like capabilities is not allowed.
    • CHPC provides and periodically updates a list of recommended and acceptable user space container runtimes at its Container-based Virtualization help page.
    • Some acceptable container runtimes may allow being root inside of the container. While this is allowed (a root in a container is still an user to the outside system), it is strongly discouraged because this is a major priviledge escalation vector in case there is a vulnerability in the container runtime. The main reason why containers are used in HPC - support of complex sofware stacks - does not require the container to be run as root. If an user has a container that requires to have root or sudo inside, CHPC should be notified to examine if a fully user based solution is possible.
    • Users are allowed to either copy in their own containers they built elsewhere, or use containers from public repositories (e.g. DockerHub).
    • CHPC reserves a right to turn off access to a container runtime in case a security vulnerability is discovered. If this happens, we will notify users via the standard communication channels (mailing list, webpage).
    • These restrictions are valid both in General and Protected Environment. 
  • Containers can not be built on a general CHPC infrastructure
    • Building a container requires root permissions, which is a major risk for critical infrastructure. Therefore it is not possible to build containers at CHPC general or PE machines.
    • Users are encouraged to build containers on their personal machines or on container repositories, with instructions provided at our Building Singularity containers locally help page.
    • In case building a container on a personal machine is not possible or practical, CHPC may allow access to a special machine designed for building containers. The utility of this approach will be evaluated on case by case basis.
Last Updated: 4/9/19