Securing user defined containers for scientific computing

Joshua Higgins; Violeta Holmes; Colin Venters

doi:10.1109/HPCSim.2016.7568369

Securing user defined containers for scientific computing

Joshua Higgins, Violeta Holmes, Colin Venters

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

8 Citations (Scopus)

Abstract

Linux containers and Docker have gained immense popularity as a lightweight alternative to hypervisor based Virtual Machines (VMs). In the context of High Performance Computing and the scientific community, it is clear that containers can serve many useful purposes from system administration, to improved cluster resource management and as a format for sharing reproducible research. However, when compared to VMs, containers seem to trade isolation for performance and ease of use, which poses unique security challenges. In this paper we review how Docker is being used in science, highlight easy to perform exploits, and evaluate the impact of these on HPC deployments. We also summarise a number of strategies for hardening such a system to reduce the vulnerability of hosting User Defined Containers. Based on these, an original solution to enforce default options and container ownership for nonadministrative users in the HPC use case is presented, in addition to the experience of implementing such a system on a cluster at the University of Huddersfield.

Original language	English
Title of host publication	2016 International Conference on High Performance Computing and Simulation, HPCS 2016
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	449-453
Number of pages	5
ISBN (Electronic)	9781509020881
DOIs	https://doi.org/10.1109/HPCSim.2016.7568369
Publication status	Published - 13 Sep 2016
Event	14th International Conference on High Performance Computing and Simulation - Innsbruck, Austria Duration: 18 Jul 2016 → 22 Jul 2016 Conference number: 14 http://hpcs2016.cisedu.info/ (Link to Conference Website)

Conference

Conference	14th International Conference on High Performance Computing and Simulation
Abbreviated title	HPCS 2016
Country/Territory	Austria
City	Innsbruck
Period	18/07/16 → 22/07/16
Other	The 2016 International Conference on High Performance Computing & Simulation (HPCS 2016) will be held on July 18 - 22, 2016 in Innsbruck, Austria. Under the theme of “HPC and Modeling & Simulation for the 21st Century," HPCS 2016 will focus on a wide range of the state-of-the-art as well as emerging topics pertaining to high performance and large scale computing systems at both the client and backend levels.
Internet address	http://hpcs2016.cisedu.info/ (Link to Conference Website)

Access to Document

10.1109/HPCSim.2016.7568369Licence: Other

http://eprints.hud.ac.uk/id/eprint/29074/Licence: Unspecified

Cite this

@inproceedings{070d36022a0c4954af8c22ae81025eb3,

title = "Securing user defined containers for scientific computing",

abstract = "Linux containers and Docker have gained immense popularity as a lightweight alternative to hypervisor based Virtual Machines (VMs). In the context of High Performance Computing and the scientific community, it is clear that containers can serve many useful purposes from system administration, to improved cluster resource management and as a format for sharing reproducible research. However, when compared to VMs, containers seem to trade isolation for performance and ease of use, which poses unique security challenges. In this paper we review how Docker is being used in science, highlight easy to perform exploits, and evaluate the impact of these on HPC deployments. We also summarise a number of strategies for hardening such a system to reduce the vulnerability of hosting User Defined Containers. Based on these, an original solution to enforce default options and container ownership for nonadministrative users in the HPC use case is presented, in addition to the experience of implementing such a system on a cluster at the University of Huddersfield.",

keywords = "Docker, HPC, security, user defined containers",

author = "Joshua Higgins and Violeta Holmes and Colin Venters",

year = "2016",

month = sep,

day = "13",

doi = "10.1109/HPCSim.2016.7568369",

language = "English",

pages = "449--453",

booktitle = "2016 International Conference on High Performance Computing and Simulation, HPCS 2016",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

address = "United States",

note = "14th International Conference on High Performance Computing and Simulation, HPCS 2016 ; Conference date: 18-07-2016 Through 22-07-2016",

url = "http://hpcs2016.cisedu.info/",

}

Higgins, J, Holmes, V & Venters, C 2016, Securing user defined containers for scientific computing. in 2016 International Conference on High Performance Computing and Simulation, HPCS 2016., 7568369, Institute of Electrical and Electronics Engineers Inc., pp. 449-453, 14th International Conference on High Performance Computing and Simulation, Innsbruck, Austria, 18/07/16. https://doi.org/10.1109/HPCSim.2016.7568369

Securing user defined containers for scientific computing. / Higgins, Joshua; Holmes, Violeta; Venters, Colin.

2016 International Conference on High Performance Computing and Simulation, HPCS 2016. Institute of Electrical and Electronics Engineers Inc., 2016. p. 449-453 7568369.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Securing user defined containers for scientific computing

AU - Higgins, Joshua

AU - Holmes, Violeta

AU - Venters, Colin

N1 - Conference code: 14

PY - 2016/9/13

Y1 - 2016/9/13

N2 - Linux containers and Docker have gained immense popularity as a lightweight alternative to hypervisor based Virtual Machines (VMs). In the context of High Performance Computing and the scientific community, it is clear that containers can serve many useful purposes from system administration, to improved cluster resource management and as a format for sharing reproducible research. However, when compared to VMs, containers seem to trade isolation for performance and ease of use, which poses unique security challenges. In this paper we review how Docker is being used in science, highlight easy to perform exploits, and evaluate the impact of these on HPC deployments. We also summarise a number of strategies for hardening such a system to reduce the vulnerability of hosting User Defined Containers. Based on these, an original solution to enforce default options and container ownership for nonadministrative users in the HPC use case is presented, in addition to the experience of implementing such a system on a cluster at the University of Huddersfield.

AB - Linux containers and Docker have gained immense popularity as a lightweight alternative to hypervisor based Virtual Machines (VMs). In the context of High Performance Computing and the scientific community, it is clear that containers can serve many useful purposes from system administration, to improved cluster resource management and as a format for sharing reproducible research. However, when compared to VMs, containers seem to trade isolation for performance and ease of use, which poses unique security challenges. In this paper we review how Docker is being used in science, highlight easy to perform exploits, and evaluate the impact of these on HPC deployments. We also summarise a number of strategies for hardening such a system to reduce the vulnerability of hosting User Defined Containers. Based on these, an original solution to enforce default options and container ownership for nonadministrative users in the HPC use case is presented, in addition to the experience of implementing such a system on a cluster at the University of Huddersfield.

KW - Docker

KW - HPC

KW - security

KW - user defined containers

UR - http://www.scopus.com/inward/record.url?scp=84991736658&partnerID=8YFLogxK

U2 - 10.1109/HPCSim.2016.7568369

DO - 10.1109/HPCSim.2016.7568369

M3 - Conference contribution

AN - SCOPUS:84991736658

SP - 449

EP - 453

BT - 2016 International Conference on High Performance Computing and Simulation, HPCS 2016

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 14th International Conference on High Performance Computing and Simulation

Y2 - 18 July 2016 through 22 July 2016

ER -

Securing user defined containers for scientific computing

Abstract

Conference

Access to Document

Other files and links

Fingerprint

Cite this