Zero-consistency root emulation for unprivileged container image build
Reid Priedhorsky (1), Michael Jennings (1), Megan Phinney ((1) Los, Alamos National Laboratory)
TL;DR
This paper introduces a seccomp-based root emulation mode that intercepts privileged system calls during container image building, enabling fully-unprivileged workflows for HPC applications without requiring privileged operations.
Contribution
The authors present a novel seccomp filter approach that emulates root privileges during container build processes, simplifying unprivileged container workflows for HPC applications.
Findings
Successfully builds Dockerfiles without privileged operations
Simplifies container workflows for HPC applications
No consistency guarantees but sufficient for practical use
Abstract
Do Linux distribution package managers need the privileged operations they request to actually happen? Apparently not, at least for building container images for HPC applications. We use this observation to implement a root emulation mode using a Linux seccomp filter that intercepts some privileged system calls, does nothing, and returns success to the calling program. This approach provides no consistency whatsoever but appears sufficient to build all Dockerfiles we examined, simplifying fully-unprivileged workflows needed for HPC application containers.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsDistributed and Parallel Computing Systems · Parallel Computing and Optimization Techniques · Simulation Techniques and Applications