A wrapper for secure running of Docker containers on Slurm implement in Golang. Inspired by the paper Enabling Docker Containers for High-Performance and Many-Task Computing and socker.
Socker is secure for enabling unprivileged users to run Docker containers. It mainly does two things:
- It enforces running containers within as the user not as root
- When it is called inside a Slurm job, it enforces the inclusion of containers in the cgroups assigned by Slurm to the parent jobs
- CentOS/Redhat and Debian have been tested
- Docker 18.06
- You MUST have a group docker and a user dockerroot who is member of ONLY the docker group. The docker run command will be executed as dockerroot.
- You SHOULD enable Linux namespaces and Docker
userns-remap
feature to makesocker
safer. Read the Docker document to know more aboutuserns-remap
please. - Golang 1.6 (For development ONLY)
To add the dockerroot user to docker group:
usermod -aG docker dockerroot
- Slurm is not a prerequisite, but if you run socker inside a Slurm job, it will put the container under Slurm's control.
libcgroup-tools
should be installed for cgroup limit set.
make sure you have installed go
then:
make install
You should run command to sync Docker
images to socker
, simple usage:
socker images sync
- Docker filter: use
--filter
or-f
flag to specify filter to sync Docker filtered images,read the document to know more - Repository filter: use
--repo
or-r
flag to specify repo filter to sync the images which contain specific keyword
## Example
## sync harbor.hpc.com/* images.
socker images sync --repo "harbor.hpc.com"
## sync docker filtered images.
socker images sync --filter "reference=ubuntu*"
Or define your images config in /var/lib/socker/images.yaml
file manually before using socker images
command.
If you want to delete containers after Slurm job terminated, you should use the epilog.sh
script in scripts directory as Slurm epilog script.
Use socker just like docker, for example:
socker run -it ubuntu bash
Run socker --help to know more:
NAME:
socker - Secure runner for Docker containers
USAGE:
socker [global options] command [command options] [arguments...]
VERSION:
0.1.0
COMMANDS:
images List images that defined in image.yaml file or sync images from Docker to socker.
run run a container from IMAGE executing COMMAND as regular user
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--verbose run in verbose mode
--epilog run with Slurm epilog enabled
--help, -h show help
--version, -v print the version
Socker should work with Docker daemon which userns-remap
feature has enbaled.
The best way to prevent privilege-escalation attacks from within a container is to configure your container’s applications to run as unprivileged users, For containers whose processes must run as the root user within the container, you can re-map this user to a less-privileged user on the Docker host.
socker
will default mount a swap directory($HOME/container
) to container, the root user of container can write data into this safe directory with userns-remap
specified user's permission.
You can also use socker
with Docker daemon without userns-remap
, but this is dangerous. Safe or convenient, you can only choose one of them at present.