Containers can only be run under unprivileged user permissions
Launching containers as root, or using container solutions that have root like capabilities
is not allowed.
CHPC provides and periodically updates a list of recommended and acceptable user space
container runtimes at its Container-based Virtualization help page.
Some acceptable container runtimes may allow being root inside of the container. While
this is allowed (a root in a container is still an user to the outside system), it
is strongly discouraged because this is a major priviledge escalation vector in case
there is a vulnerability in the container runtime. The main reason why containers
are used in HPC - support of complex sofware stacks - does not require the container
to be run as root. If an user has a container that requires to have root or sudo inside,
CHPC should be notified to examine if a fully user based solution is possible.
Users are allowed to either copy in their own containers they built elsewhere, or
use containers from public repositories (e.g. DockerHub).
CHPC reserves a right to turn off access to a container runtime in case a security
vulnerability is discovered. If this happens, we will notify users via the standard
communication channels (mailing list, webpage).
These restrictions are valid both in General and Protected Environment.
Containers can be built under unprivileged user permissions
Apptainer and Charliecloud have capability to build containers in rootless mode. This includes both pulling existing
containers from public repositories, or building containers from definition files.
As building large containers is resource intensive, it is recommended to build them
inside of a batch job which asks for appropriate resources (mainly memory - it is
not uncommon to need 32 GB or 64 GB of RAM).
It is the user's responsibility to ensure that the containers they build are using
up-to-date, currently maintained software, don't contain any malicious software, and
are regularly updated to address any security vulnerabilities.
