Re: User-installable Debian packages?
- To: debian-devel@lists.debian.org
- Subject: Re: User-installable Debian packages?
- From: Florian Weimer <fw@deneb.enyo.de>
- Date: Thu, 03 Aug 2017 22:41:10 +0200
- Message-id: <[🔎] 87ini4wfix.fsf@mid.deneb.enyo.de>
- In-reply-to: <1383f3b1-5401-cc77-018a-b24dc154cac1@gmx.de> ("Steffen \=\?iso-8859-1\?Q\?M\=F6ller\=22's\?\= message of "Sat, 29 Jul 2017 17:26:17 +0200")
- References: <b6683708-9b2b-289d-6686-82fcf7bbbeff@gmx.de> <20170722120006.hmu2uiwnld4onk75@perpetual.pseudorandom.co.uk> <874lu0u91w.fsf@mid.deneb.enyo.de> <1383f3b1-5401-cc77-018a-b24dc154cac1@gmx.de>
* Steffen Möller:
> The HPC community does not want to need root privileges to get their
> software installed/used on the HPC setup. This excludes regular
> Debian packages, traditional containers like Docker and chroot
> environments.
So they would rather give the user full file system access on an
unprotected host, with a shared /tmp and /proc, limited control over
resource utilization, at least a few SUID programs, and the ability to
become root once you have obtained the password from someone?
Under the alternative model, users do not get any access whatsoever to
the actual host, are always confined to containers, and do not have
root rights in the container, either. True, the container setup
requires elevated privileges, but this is tightly controlled by the
container management engine. It's not something the user would run
after logging into the host over SSH.
For shared computing resources, the container model seems vastly
superior to user-based separation. I'd be concerned about the
overhead, but I really don't understand the objection that this
requires root privileges when those privileges can be tightly
controlled.
(I'm not saying that Docker, OpenShift & Co. are suitable for HPC
environments. They probably are not, but Linux namespaces & cgroups
seem quite appropriate for such environments.)
Reply to: