Launching containers as root, or using container solutions that have root like capabilities
is not allowed.
CHPC provides and periodically updates a list of recommended and acceptable user space
container runtimes at its Container-based Virtualization help page.
Some acceptable container runtimes may allow being root inside of the container. While
this is allowed (a root in a container is still an user to the outside system), it
is strongly discouraged because this is a major priviledge escalation vector in case
there is a vulnerability in the container runtime. The main reason why containers
are used in HPC - support of complex sofware stacks - does not require the container
to be run as root. If an user has a container that requires to have root or sudo inside,
CHPC should be notified to examine if a fully user based solution is possible.
Users are allowed to either copy in their own containers they built elsewhere, or
use containers from public repositories (e.g. DockerHub).
CHPC reserves a right to turn off access to a container runtime in case a security
vulnerability is discovered. If this happens, we will notify users via the standard
communication channels (mailing list, webpage).
These restrictions are valid both in General and Protected Environment.
Containers can not be built on a general CHPC infrastructure
Building a container requires root permissions, which is a major risk for critical
infrastructure. Therefore it is not possible to build containers at CHPC general or
PE machines.
Users are encouraged to build containers on their personal machines or on container
repositories, with instructions provided at our Building Singularity containers locally help page.
In case building a container on a personal machine is not possible or practical, CHPC
may allow access to a special machine designed for building containers. The utility
of this approach will be evaluated on case by case basis.
