[SloopJon]

Enroot sounds interesting:

https://github.com/NVIDIA/enroot

It basically returns containers to their chroot origins, promising "no performance overhead." I'm looking forward to more posts on that.

[bcatanzaro]

My team at NVIDIA uses enroot extensively. It's been really nice. We build containers using Docker but then run them with enroot.

[fulafel]

What performance overhead does this avoid compared to other container runtimes?

Another aspect, the "unprivileged "part sounds like an advantage over Docker, on par with podman and lxd etc.

[gnufx]

What's the advantage of enroot over charliecloud, which is unprivileged in the sense of being installable in your home directory (given user namespaces)? https://hpc.github.io/charliecloud/

[exxo_]

It is the same idea, we actually considered it at first. There are some differences in the implementation though and we built enroot with the idea of being more extensible. We also have a plugin for SLURM (https://github.com/NVIDIA/pyxis)

[exxo_]

There are several things that can impact performance on "traditional" container runtimes. For example, cgroups, LSMs, seccomp (especially with spectre mitigations), network NS/bridges, etc. There are also more subtle things like being able to do CMA, or deal with shared memory. Most runtimes let you opt out but this becomes difficult to manage and secure with multiple users.