• CERN has started a security review of Singularity but cannot provide guarantees on the time scale or the completeness of said review
• RedHat seems to be more proactive for unprivileged user namespace is 7.4 as seen in http://seclists.org/oss-sec/2017/q2/11:

As for unprivileged user namespaces, they were considered too
insecure up to and including RHEL-7.3 to be enabled by default.
There are plans to enable them (by sysctl parameter) in RHEL-7.4.

• CMS update:
  • Singularity rolled out in 3 CMS sites in production for already 2 weeks (not yet at 100%, but expected to reach 100% within a week)
  • Only one issue identified so far: If auto-fs restarts and try to restart cvmfs, cvmfs can't restart until all running pilots are drained and stop using cvmfs. Discussion ongoing with the developer (no bug open yet) but seems hard to fix.
    • Configuration systems, e.g. puppet, could trigger such restart and thus kill WNs..
• Long term support for Singularity?
  • It's not a grid project (from HPC)
  • There is one paid developer, working for the US DOE: no crystal ball for the future...
  • Currently at least 4 people with commit access (incl. Brian)
  • Under a spike of popularity and commit activity right now
  • Seen as the way for containers at HPC sites in the US (no docker)
  • Experience also existing in Europe:
    • GSI has quite some experience, including in development
    • Already deployed in some site (e.g. SiGNET and ARNES for host/pilot isolation)
  • When SUID is dropped (unprivileged user namespace support in RHEL), development will not be security-critical as Singularity would mostly be a wrapper over unprivileged namespace APIs