Privileged containers

Proposal: admins can submit containers than run with elevated privileges. This will allow for certain operations such as Docker-in-Docker that are disallowed with normal container privileges. For example, migrating Docker images relies on Docker-in-Docker (by installing Docker 1.9, loading the image, upgrading Docker, and then exporting the upgraded image). It may be easier for users to run a compute job rather than running an admin script.

Design

In the container request:

"runtime_constraints": {
  "privileged": true
}

The effective user associated with container request must be an admin, otherwise the container request will be rejected.

crunch-run executes container with "Privileged: true"