Container late-binding in unprivileged dHTC pilot systems on Kubernetes resources
Journal:
arXiv
Published Date:
Mar 17, 2025
Abstract
The scientific and research community has benefited greatly from
containerized distributed High Throughput Computing (dHTC), both by enabling
elastic scaling of user compute workloads to thousands of compute nodes, and by
allowing for distributed ownership of compute resources. To effectively and
efficiently deal with the dynamic nature of the setup, the most successful
implementations use an overlay batch scheduling infrastructure fed by a pilot
provisioning system. One fundamental property of these setups is the use of
late binding of containerized user workloads. From a resource provider point of
view, a compute resource is thus claimed before the user container image is
selected. This paper provides a mechanism to implement this late-binding of
container images on Kubernetes-managed resources, without requiring any
elevated privileges.
