GIE security implications
Hi, what are the security implications of GIE? I saw the overview on the GIE page, but its not clear to me how dangerous they are. "They have complex interactions with numerous services, you’ll need to be a fairly competent SysAdmin to debug all of the possible problems that can occur during deployment” Is it possible to describe what the docker container has access to and what could possibly go wrong? thank you very much, ido
Hi Ido, every IE or the underlying Docker container can be different and this has implications about security. Assuming that you every user are root inside Docker, and you can break out of Docker, this is the attack surface. To make it more clear, the IEs are as dangerous as Docker is, or the Docker container. We are running IE's on a separate Node, inside of a VM. So all containers are started in these VMs. If anyone can break out of his/her IE, he is still in the VM and can not do much. An other concern might be huge computational load, or huge files that are created and spamming your network, harddiscs. IEs are currently not scheduled through the Galaxy job scheduler, so they can consume what ever resources they need. This can be changed by configuring the Docker daemon accordingly. The Galaxy team has plans to schedule IEs and make them even workflow aware afaik. Time will tell, contributions welcome! :) Hope this helps, Bjoern Am 03.01.2017 um 13:33 schrieb Tamir,Ido:
Hi, what are the security implications of GIE? I saw the overview on the GIE page, but its not clear to me how dangerous they are.
"They have complex interactions with numerous services, you’ll need to be a fairly competent SysAdmin to debug all of the possible problems that can occur during deployment”
Is it possible to describe what the docker container has access to and what could possibly go wrong?
thank you very much, ido ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
participants (2)
-
Björn Grüning
-
Tamir,Ido