A wrapper for secure running of Docker containers on Slurm implement in Golang. Inspired by the paper Enabling Docker Containers for High-Performance and Many-Task Computing and socker.
Socker is secure for enabling unprivileged users to run Docker containers. It mainly does two things:
- It enforces running containers within as the user not as root
- When it is called inside a Slurm job, it enforces the inclusion of containers in the cgroups assigned by Slurm to the parent jobs
- CentOS/Redhat and Debian have been tested
- Docker 18.06+
- You MUST have a group docker and a user dockerroot who is member of ONLY the docker group. The docker run command will be executed as dockerroot.
- You SHOULD enable Linux namespaces and Docker
userns-remapfeature to makesockersafer. Read the Docker document to know more aboutuserns-remapplease. - Golang 1.6+(For development ONLY)
To add the dockerroot user to docker group:
usermod -aG docker dockerroot- Slurm is not a prerequisite, but if you run socker inside a Slurm job, it will put the container under Slurm's control.
libcgroup-toolsshould be installed for cgroup limit set.
make sure you have installed go then:
make installYou should run command to sync Docker images to socker, simple usage:
socker images sync- Docker filter: use
--filteror-fflag to specify filter to sync Docker filtered images,read the document to know more - Repository filter: use
--repoor-rflag to specify repo filter to sync the images which contain specific keyword
## Example
## sync harbor.hpc.com/* images.
socker images sync --repo "harbor.hpc.com"
## sync docker filtered images.
socker images sync --filter "reference=ubuntu*"Or define your images config in /var/lib/socker/images.yaml file manually before using socker images command.
If you want to delete containers after Slurm job terminated, you should use the epilog.sh script in scripts directory as Slurm epilog script.
Use socker just like docker, for example:
socker run -it ubuntu bashRun socker --help to know more:
NAME:
socker - Secure runner for Docker containers
USAGE:
socker [global options] command [command options] [arguments...]
VERSION:
0.1.0
COMMANDS:
images List images that defined in image.yaml file or sync images from Docker to socker.
run run a container from IMAGE executing COMMAND as regular user
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--verbose run in verbose mode
--epilog run with Slurm epilog enabled
--help, -h show help
--version, -v print the versionSocker should work with Docker daemon which userns-remap feature has enbaled.
The best way to prevent privilege-escalation attacks from within a container is to configure your container’s applications to run as unprivileged users, For containers whose processes must run as the root user within the container, you can re-map this user to a less-privileged user on the Docker host.
socker will default mount a swap directory($HOME/container) to container, the root user of container can write data into this safe directory with userns-remap specified user's permission.
You can also use socker with Docker daemon without userns-remap, but this is dangerous. Safe or convenient, you can only choose one of them at present.
