Arvados

See Build docker images as part of a workflow

Web-only users do not have access to Docker on the client (in addition, some shell users don't have access to Docker for security reasons, for example visitors to cloud.curoverse.com). Ther should be a mechanism to submit a request to build a Docker image for use in Arvados.

Possible solutions:

Unprivileged build inside a normal container request¶

For building images, here is a blog post which outlines how to do it with nested unprivileged containers, which is described as an "epic yak shave".

• https://blog.jessfraz.com/post/building-container-images-securely-on-kubernetes/

This seems like it would require quite a lot of tooling development.

Special container request¶

Special format container request recognized by crunch-run which executes "docker build" (instead of docker run) and produces the image collection as output.

Dedicated docker builder service¶

New microservice with API to request "build image".

Use external build service¶

For example, quay.io, then pull the resulting image (#11724). Requires integrating with external service(s) so would be harder to fully automate compared to Arvados-based solutions.