Singularity: the cool container you've never heard of
Update: Singularity has been accepted into the Linux Foundation and renamed Apptainer.
________________________________
Unless you've been in suspended animation hibernation, you've heard of Docker, the container technology that has taken the IT world by storm.
If you've been following that movement closely you've probably heard of rkt (an alternative from the CoreOS group), LXC/LXD (an alternative from Canonical, the creators of Ubuntu), and Project Atomic (a Red Hat initiative to address security concerns over Docker).
If you've been around longer, you'll probably mention to those youngsters that Solaris zones offered this functionality many years prior. Fans of (Parallels) Virtuozzo Containers will say the same thing.
With all these options you'd think we could put this topic to rest. Decide on your favorite and move on, right? Well, there may be need to add one more to the mix: Singularity.
Singularity was born in a very different environment than DevOps shops and web hosting: HPC. High Performance Computing centers have a lot more hardware and security constraints because "escaping root" would mean hackers would have access to supercomputing power. In this regard, it's probably closest to Solaris zones which is used in similar work environments. Unlike Solaris though, which needs to emulate Linux functionality with lx branded zones, Singularity is native Linux. Also, unlike Docker which runs the container daemon as root, Singularity can run the container daemon as a read-only, rights-limited regular user on the host, greatly reducing (but not altogether eliminating) security concerns. As a bonus, it supports Docker container images (although the integration with Docker Hub is at the mercy of Docker developer whims). As a personal aside, I find their CLI arguments and parameters easier to understand and use than Docker. If you are keen on security and need to run Linux containers in a more controlled environment, check out Singularity.
If you've been following that movement closely you've probably heard of rkt (an alternative from the CoreOS group), LXC/LXD (an alternative from Canonical, the creators of Ubuntu), and Project Atomic (a Red Hat initiative to address security concerns over Docker).
If you've been around longer, you'll probably mention to those youngsters that Solaris zones offered this functionality many years prior. Fans of (Parallels) Virtuozzo Containers will say the same thing.
With all these options you'd think we could put this topic to rest. Decide on your favorite and move on, right? Well, there may be need to add one more to the mix: Singularity.
Singularity was born in a very different environment than DevOps shops and web hosting: HPC. High Performance Computing centers have a lot more hardware and security constraints because "escaping root" would mean hackers would have access to supercomputing power. In this regard, it's probably closest to Solaris zones which is used in similar work environments. Unlike Solaris though, which needs to emulate Linux functionality with lx branded zones, Singularity is native Linux. Also, unlike Docker which runs the container daemon as root, Singularity can run the container daemon as a read-only, rights-limited regular user on the host, greatly reducing (but not altogether eliminating) security concerns. As a bonus, it supports Docker container images (although the integration with Docker Hub is at the mercy of Docker developer whims). As a personal aside, I find their CLI arguments and parameters easier to understand and use than Docker. If you are keen on security and need to run Linux containers in a more controlled environment, check out Singularity.
Comments
Post a Comment
Keep it clean and professional...