Hi Alessandra

 

The user in our case wants to make some physics analysis fully reproducible so it can be used at other sites/users. It’s a kind of development work. I think the problem is that once we allow an user to run a random image then we cannot control what they are running inside the docker.

 

At the moment the request is to run on interactive machine but I won’t be surprised if someone will be asking to run on batch system in few months’ time.

 

Singularity looks like an option if user is willing to look into it.

 

Thanks

 

Kashif

 

From: Testbed Support for GridPP member institutes <[log in to unmask]> On Behalf Of Alessandra Forti
Sent: 24 September 2018 15:25
To: [log in to unmask]
Subject: Re: Docker on shared interactive machine

 

Sorry... it doesn't. Users can build docker images using the gitlab CI and for some reason I thought they could use them on lxplus.
 

On 24/09/2018 15:11, Alessandra Forti wrote:

PS CERN has docker on lxplus.

On 24/09/2018 15:07, Alessandra Forti wrote:

Hi,

don't higher privileges depend on what the user does in the image? If he does normal application things he doesn't really need higher privileges. i.e. in normal mode they cannot start services but can run their applications and mount directories.

cheers
alessandra
 

On 24/09/2018 14:36, Kashif Mohammad wrote:

 

Hi

 

One of our local user wants to run docker on shared interactive server. Docker can be run by normal user but user has to be added to dockerroot group which has higher privilege. I am tempted to refuse this request as interactive machine has many mounted file system etc.

 

But before refusing I thought that I should take second opinion. Is anyone allowing users to run docker on shared machines or is there way to run docker in more secure manner?

 

Cheers

 

Kashif

 

 

To unsubscribe from the TB-SUPPORT list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=TB-SUPPORT&A=1 



-- 
Respect is a rational process. \\//
For Ur-Fascism, disagreement is treason. (U. Eco)

 

To unsubscribe from the TB-SUPPORT list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=TB-SUPPORT&A=1 



-- 
Respect is a rational process. \\//
For Ur-Fascism, disagreement is treason. (U. Eco)

 

To unsubscribe from the TB-SUPPORT list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=TB-SUPPORT&A=1 



-- 
Respect is a rational process. \\//
For Ur-Fascism, disagreement is treason. (U. Eco)

 

To unsubscribe from the TB-SUPPORT list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=TB-SUPPORT&A=1


To unsubscribe from the TB-SUPPORT list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=TB-SUPPORT&A=1