Is there a “multi-user” Docker mode, e.g. for scientific clusters?

前端 未结 5 1702
盖世英雄少女心
盖世英雄少女心 2021-02-06 03:24

I want to use Docker for isolating scientific applications for the use in a HPC Unix cluster. Scientific software often has exotic dependencies so isolating them with Docker app

相关标签:
5条回答
  • 2021-02-06 03:51

    Don't forget about DinD (Docker in Docker): jpetazzo/dind

    You could dedicate one Docker per user, and within one of those docker containers, the user could launch a job in a docker container.

    0 讨论(0)
  • 2021-02-06 03:53

    Yes there is! It's called Singularity and it was designed with scientific applications and multi user HPCs. More at http://singularity.lbl.gov/

    0 讨论(0)
  • 2021-02-06 04:07

    There is an officially supported Docker image that allows one to run Docker in Docker (dind), available here: https://hub.docker.com/_/docker/. This way, each user can have their own Docker daemon. First, start the daemon instance:

    docker run --privileged --name some-docker -d docker:stable-dins
    

    Note that the --privileged flag is required. Next, connect to that instance from a second container:

    docker run --rm --link some-docker:docker docker:edge version
    
    0 讨论(0)
  • 2021-02-06 04:13

    OK, I think there will be more and more solutions pop up for this. I'll try to update the following list in the future:

    • udocker for executing Docker containers as users
    • Singularity (Kudos to Filo) is another Linux container based solution
    0 讨论(0)
  • 2021-02-06 04:15

    I'm also interested in this possibility with Docker, for similar reasons. There are a few of problems I can think of:

    1. The Docker Daemon runs as root, providing anyone in the docker group with effective host root permissions (e.g. leak permissions by mounting host / dir as root).
    2. Multi user Isolation as mentioned
    3. Not sure how well this will play with any existing load balancers?

    I came across Shifter which may be worth a look an partly solves #1: http://www.nersc.gov/research-and-development/user-defined-images/

    Also I know there is discussion to use kernel user namespaces to provide mapping container:root --> host:non-privileged user but I'm not sure if this is happening or not.

    0 讨论(0)
提交回复
热议问题