Skip to content

2.7 OS-level Virtualization (Container) Policies

  • Containers can only be run under unprivileged user permissions
    • Launching containers as root, or using container solutions that have root like capabilities is not allowed.
    • CHPC provides and periodically updates a list of recommended and acceptable user space container runtimes at its Container-based Virtualization help page.
    • Some acceptable container runtimes may allow being root inside of the container. While this is allowed (a root in a container is still an user to the outside system), it is strongly discouraged because this is a major priviledge escalation vector in case there is a vulnerability in the container runtime. The main reason why containers are used in HPC - support of complex sofware stacks - does not require the container to be run as root. If an user has a container that requires to have root or sudo inside, CHPC should be notified to examine if a fully user based solution is possible.
    • Users are allowed to either copy in their own containers they built elsewhere, or use containers from public repositories (e.g. DockerHub).
    • CHPC reserves a right to turn off access to a container runtime in case a security vulnerability is discovered. If this happens, we will notify users via the standard communication channels (mailing list, webpage).
    • These restrictions are valid both in General and Protected Environment. 
  • Containers can be built under unprivileged user permissions
    • Apptainer and Charliecloud have capability to build containers in rootless mode. This includes both pulling existing containers from public repositories, or building containers from definition files.
    • As building large containers is resource intensive, it is recommended to build them inside of a batch job which asks for appropriate resources (mainly memory - it is not uncommon to need 32 GB or 64 GB of RAM).
    • It is the user's responsibility to ensure that the containers they build are using up-to-date, currently maintained software, don't contain any malicious software, and are regularly updated to address any security vulnerabilities.
Last Updated: 5/16/25