Executions run as non-root users, which is a security bonus as it makes the container immutable . However, there is some demand for temporary writeable space, which is accomplished in the sd2e and iplantc.org tenants by having a writable directory (/mnt/ephemeral) in their tenant-specific base image. This is not ideal, as files written there persist in the container after it exits and can't be easily cleaned up. I propose something like the following:

• Provision a hardened directory on the host (permissions, acls, etc)
• Extend Abaco so that it mount this directory, extended by unique directory name for each execution, at /mnt/ephemeral directory inside the container.
• Add a cron task that empties the contents of this directory on a recurring basis

Example

1. On the Docker host, provision /scratch/executions
2. Extend Abaco to implement:
   docker run -v /scratch/executions/<executionId>:/mnt/ephemeral:rw tacc/abaco_container
3. Add a cron job that runs a purge script that looks like:

#!/bin/bash

# delete files after 1 day
find /scratch/executions -type f -mtime 1 -exec rm -rf {} \;