Geek Answers Handbook

Is there a "multi-user" Docker mode, for example. for science clusters?

I want to use Docker to highlight scientific applications for use in an HPC Unix cluster. Scientific software often has exotic dependencies, so isolating them with Docker seems like a good idea. Programs should run as jobs, not as services.

I want multiple users to use Docker, and users must be isolated from each other. Is it possible?

I performed a local installation of Docker and had two users in the docker group. The docker images call showed the same results for both users.

In addition, tasks must be run under the UID of the calling user, and not with root privileges.

Is such a setting possible? Has this been done before? Is it documented anywhere?

+7
docker
source share
5 answers

Well, I think there will be more and more solutions for this. In the future I will try to update the following list:

  • udocker to execute Docker containers as users
  • Singularity (Kudos to Filo) is another Linux-based solution.
+1
source share

Don't Forget DinD (Docker in Docker): jpetazzo/dind

You can allocate one Docker for each user, and in one of these docker containers the user can run the task in the docker container.

+3
source share

I am also interested in this feature with Docker, for the same reasons. There are several issues that I can think of:

  • Docker Daemon works as root, providing someone in the docker group with effective host host permissions (for example, leak permissions to set the host / dir as root).
  • Isolate multiple users as indicated
  • Not sure how well it will play with any existing load balancers?

I came across Shifter, which might be worth a look, partially solves # 1: http://www.nersc.gov/research-and-development/user-defined-images/

I also know that there is a discussion about using kernel user namespaces to provide a display container: root -> host: a non-privileged user, but I'm not sure if this happens or not.

+1
source share

Yes there is! It was called Singularity, and it was developed using scientific applications and multi-user HPC. More details at http://singularity.lbl.gov/

+1
source share

There is an officially supported Docker image that allows you to run Docker in Docker (dind), available here: https://hub.docker.com/_/docker/ . Thus, each user can have their own Docker daemon. First, run the daemon instance:

 docker run --privileged --name some-docker -d docker:stable-dins

Note that the --privileged flag is --privileged . Then connect to this instance from the second container:

 docker run --rm --link some-docker:docker docker:edge version
0
source share

More articles:


All Articles