And Gavin W. Burris writes: > Great, but then how do you patch for critical vulns?
Beyond all the other responses (with which I agree), consider the current GHOST issue. If the possibly vulnerable bits are within container images, then for batch jobs exposure ends once the image is finished running. Some vetting of images given external network access always will be required, and that can handle checking for vulnerabilities. Heck, they can be run and metasploit-scanned internally for severe testing. A node's base system likely has far fewer security surfaces exposed and can be rebooted into a new base image as soon as the running job is over, just like now only without possibly having other updates occur that interfere with user application stacks. So much simpler assuming your cluster is used for running more than a few fixed applications. Building a good image will be simpler with well-behaved software, so quality still can be rewarded. But the growing quantity of crap software from a system level that produces useful science results can be supported without the current levels of pain. _______________________________________________ Beowulf mailing list, [email protected] sponsored by Penguin Computing To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
