The International Conference for High Performance Computing, Networking, Storage, and Analysis
The International Conference for High Performance Computing, Networking, Storage, and Analysis
Workshop: 5th International Workshop on Containers and New Orchestration Paradigms for Isolated Environments in HPC (CANOPIE-HPC)
Authors: Megan Phinney (Los Alamos National Laboratory (LANL))
Abstract: Charliecloud, LANL’s lightweight unprivileged container implementation, has a new root emulation mode as of version 0.32. We use this to tell programs, which are usually distro package managers, they have real root privileges even though they are running as a normal (although containerized) user. Our new mode uses the kernel’s seccomp(2) system call filtering to first construct a BPF program that specifies allowed system calls. It then intercepts certain privileged system calls, does absolutely nothing and returns success to the program.
The advantages of this new mode is that it is simpler, faster, completely neutral to libc and mostly neutral to distributions. The disadvantage is that it is that even the most hasty consistency checks will fail as most programs seem to not do any checks at all. For the few programs that do check and do apt/apt-get, it offers a hook to prevent certain programs from asking for it.
This lightning talk will discuss how this new root emulation mode uses the kernel’s seccomp filter to create a new fully unprivileged container build approach, along with its advantages and disadvantages.