Abstract
Virtualization at the operating system level utilizing container technologies provides reduced performance overhead over Type-1 hypervisors for HPC and also adds many possibilities to significantly improve the often demanded flexibility of such an installation. This paper discusses technologies and concepts on several layers that can be applied to securely integrate container-based virtualization in a multitenant HPC environment, requiring both security and high performance.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Docker - https://www.docker.com/.
- 2.
Linux Containers - https://linuxcontainers.org/.
- 3.
Rkt - https://coreos.com/rkt/.
- 4.
GPU-Enabled Docker Container - http://www.nvidia.com/object/docker-container.html.
- 5.
Docker Hub - https://hub.docker.com/.
- 6.
Quay - https://quay.io/.
- 7.
Notary - https://github.com/docker/notary.
- 8.
The Update Framework - https://theupdateframework.github.io/.
- 9.
Clair - https://github.com/coreos/clair.
- 10.
Common Vulnerabilities and Exposures - http://cve.mitre.org/.
- 11.
Docker Security Scanning safeguards the container content lifecycle - https://blog.docker.com/2016/05/docker-security-scanning/.
- 12.
CoreOS Introduces Clair: Open Source Vulnerability Analysis for your Containers - https://coreos.com/blog/vulnerability-analysis-for-containers/.
- 13.
Resource Management with Linux Control Groups in HPC Clusters - http://slurm.schedmd.com/pdfs/LCS_cgroups_BULL.pdf.
- 14.
Grsecurity - https://grsecurity.net.
- 15.
Pax - https://pax.grsecurity.net.
- 16.
Tuning Docker with the newest security enhancements - https://opensource.com/business/15/3/docker-security-tuning.
- 17.
- 18.
OpenSCAP - https://www.open-scap.org.
- 19.
Container-Compliance - https://github.com/OpenSCAP/container-compliance.
- 20.
Docker-Bench-Security - https://github.com/docker/docker-bench-security.
- 21.
Alternative: Actuary - https://github.com/diogomonica/actuary.
- 22.
- 23.
Fork bomb prevention - https://github.com/docker/docker/issues/6479.
References
Abed, A.S., Clancy, T.C., Levy, D.S.: Applying bag of system calls for anomalous behavior detection of applications in linux containers (2015)
Abed, A.S., Clancy, C., Levy, D.S.: Intrusion detection system for applications using linux containers. In: Foresti, S. (ed.) STM 2015. LNCS, vol. 9331, pp. 123–135. Springer, Heidelberg (2015). doi:10.1007/978-3-319-24858-5_8
Bakhshayeshi, R., Akbari, M., Javan, M.: Performance analysis of virtualized environments using HPC challenge benchmark suite and analytic hierarchy process. In: 2014 Iranian Conference on Intelligent Systems (ICIS), pp. 1–6, February 2014
Bettini, A.: Vulnerability exploitation in docker container environments, pp. 1–13 (2015). https://www.blackhat.com/docs/eu-15/materials/eu-15-Bettini-Vulnerability-Exploitation-In-Docker-Container-Environments-wp.pdf
Boettiger, C.: An introduction to docker for reproducible research. SIGOPS Oper. Syst. Rev. 49(1), 71–79 (2015)
Bui, T.: Analysis of Docker security. CoRR abs/1501.02967 (2015). http://arxiv.org/abs/1501.02967
Center of Internet Security: CIS Docker 1.11.0 Benchmark. Technical report, Center of Internet Security (2016). https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.11.0_Benchmark_v1.0.0.pdf
Chakthranont, N., Khunphet, P., Takano, R., Ikegami, T.: Exploring the performance impact of virtualization on an HPC cloud. In: 2014 IEEE 6th International Conference on Cloud Computing Technology and Science (CloudCom) (2014)
ClusterHQ, DevOps.com: The Current State of Container Usage-Identifying and Eliminating Barriers to Adoption. Technical report (2015). https://clusterhq.com/assets/pdfs/state-of-container-usage-june-2015.pdf
Di Tommaso, P., Palumbo, E., Chatzou, M., Prieto, P., Heuer, M.L., Notredame, C.: The impact of Docker containers on the performance of genomic pipelines. PeerJ 3, e1273 (2015)
Felter, W., Ferreira, A., Rajamony, R., Rubio, J.: An updated performance comparison of virtual machines and linux containers (2014)
Gantikow, H., Klingberg, S., Reich, C.: Container-based virtualization for HPC. In: Proceedings of CLOSER 2015, March 2015
Jackson, I.: Surviving the Zombie apocalypse-security in the cloud containers, KVM and Xen (2015). http://xenbits.xen.org/people/iwj/2015/fosdem-security/slides.pdf
NCC Group: Whitepaper Understanding and Hardening Linux Containers. Technical report, NCC Group (2016). https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-10pdf
Zheng, C., Thain, D.: Integrating containers into workflows: a case study using makeflow, work queue, and Docker, vol. 2, pp. 31–38 (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Gantikow, H., Reich, C., Knahl, M., Clarke, N. (2016). Providing Security in Container-Based HPC Runtime Environments. In: Taufer, M., Mohr, B., Kunkel, J. (eds) High Performance Computing. ISC High Performance 2016. Lecture Notes in Computer Science(), vol 9945. Springer, Cham. https://doi.org/10.1007/978-3-319-46079-6_48
Download citation
DOI: https://doi.org/10.1007/978-3-319-46079-6_48
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46078-9
Online ISBN: 978-3-319-46079-6
eBook Packages: Computer ScienceComputer Science (R0)