offers performance traditional hypervisor-based VMs
can not offer at the moment.
Since our research only focused on conceptual
advantages and single host performance and many
HPC applications rely on MPI for distributed com-
puting future testing should be done in this area, tak-
ing a look at the performance of the Docker engine in
distributed multi-host, multi-container scenarios and
with other applications from the HPC field.
From a security standpoint VMs offer a more se-
cure solution at the moment, but whether containers
offer enough security depends on the overall HPC
work-flow and the security requirements. A cloud
provider offering a multi-tenant self-service solution
with several customers on one cluster or even one host
might want to implement an additional layer of se-
curity. In a regular HPC environment this might not
be needed, as long as the necessary precautions are
taken and users are not allowed to directly interact
with Docker to provision potentially malicious con-
tainers but through a middle-ware like a job scheduler
or parameter-controlled sudo scripts, that do careful
parameter checking.
When it comes to patch management Docker
could even provide an advantage over VMs, as the
kernel is out of the focus of a container and shared
among all hosts, meaning that if a kernel vulnerabil-
ity is found only the Docker host has to be patched,
which might be even done on the fly using tools like
Ksplice.
Security of container-based solutions will further
increase over time, with lot’s of development being
already underway. Linux containers have gotten a lot
of attention over recent time and more people utiliz-
ing it will lead to closer examination and continuous
improvements.
REFERENCES
Abaqus FEA, S. (2015). ABAQUS. http://
www.simulia.com.
Adaptive Computing (2015). TORQUE. http://
www.adaptivecomputing.com/products/open-source/
torque/.
Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T.,
Ho, A., Neugebauer, R., Pratt, I., and Warfield, A.
(2003). Xen and the art of virtualization. In Proceed-
ings of the Nineteenth ACM Symposium on Operating
Systems Principles, SOSP ’03, pages 164–177, New
York, NY, USA. ACM.
Biederman, E. W. (2006). Multiple instances of the global
linux namespaces. In Proceedings of the 2006 Ottawa
Linux Symposium, Ottawa Linux Symposium, pages
101–112.
Bui, T. (2015). Analysis of docker security. CoRR,
abs/1501.02967.
Chef (2015). Chef: Automation for Web-Scale IT. https://
www.chef.io/.
Clark, C., Fraser, K., Hand, S., Hansen, J. G., Jul, E.,
Limpach, C., Pratt, I., and Warfield, A. (2005). Live
migration of virtual machines. In Proceedings of the
2Nd Conference on Symposium on Networked Systems
Design & Implementation - Volume 2, NSDI’05, pages
273–286, Berkeley, CA, USA. USENIX Association.
CRIU-Project (2015). Checkpoint/Restore In Userspace
(CRIU). http://www.criu.org/.
Docker (2015). Docker. https://www.docker.com/.
Felter, W., Ferreira, A., Rajamony, R., and Rubio, J. (2014).
An updated performance comparison of virtual ma-
chines and linux containers. technology, page 28:32.
IBM (2015). LSF. http://www-03.ibm.com/systems/
platformcomputing/products/lsf/.
Jackson, I. (2015). Surviving the zombie apocalypse – se-
curity in the cloud containers, kvm and xen. http://
xenbits.xen.org/people/iwj/2015/fosdem-security/.
Jay, T. (2014). Before you initiate a docker pull. https://
securityblog.redhat.com/2014/12/18/before-you-
initiate-a-docker-pull/.
J
´
er
ˆ
ome Petazzoni (2013). Containers & Docker: How Se-
cure Are They? https://blog.docker.com/2013/08/
containers-docker-how-secure-are-they/.
Kivity, A., Kamay, Y., Laor, D., Lublin, U., and Liguori,
A. (2007). kvm: the linux virtual machine monitor. In
Proceedings of the Linux Symposium, volume 1, pages
225–230, Ottawa, Ontario, Canada.
Matthews, J. N., Hu, W., Hapuarachchi, M., Deshane, T.,
Dimatos, D., Hamilton, G., McCabe, M., and Owens,
J. (2007). Quantifying the performance isolation prop-
erties of virtualization systems. In Proceedings of the
2007 Workshop on Experimental Computer Science,
ExpCS ’07, New York, NY, USA. ACM.
McDougall, R. and Anderson, J. (2010). Virtualiza-
tion performance: Perspectives and challenges ahead.
SIGOPS Oper. Syst. Rev., 44(4):40–56.
Miller, F., Vandome, A., and John, M. (2010). FreeBSD
Jail. VDM Publishing.
MPI (2015). Message Passing Interface (MPI) standard.
http://www.mcs.anl.gov/research/projects/mpi/.
Oracle (2015). Grid Engine. http://www.oracle.com/us/
products/tools/oracle-grid-engine-075549.html.
Padala, P., Zhu, X., Wang, Z., Singhal, S., Shin, K. G.,
Padala, P., Zhu, X., Wang, Z., Singhal, S., and Shin,
K. G. (2007). Performance evaluation of virtualiza-
tion technologies for server consolidation. Technical
report.
P
´
ek, G., Butty
´
an, L., and Bencs
´
ath, B. (2013). A survey of
security issues in hardware virtualization. ACM Com-
put. Surv., 45(3):40:1–40:34.
Price, D. and Tucker, A. (2004). Solaris zones: Operating
system support for consolidating commercial work-
loads. In Proceedings of the 18th Conference on
Systems Administration (LISA 2004), Atlanta, USA,
November 14-19, 2004, pages 241–254.
Container-basedVirtualizationforHPC
549