Privileged containers

Proposal: admins can submit containers than run with elevated privileges. This will allow for certain operations such as Docker-in-Docker that are disallowed with normal container privileges. For example, migrating Docker images relies on Docker-in-Docker (by installing Docker 1.9, loading the image, upgrading Docker, and then exporting the upgraded image). It may be easier for users to run a compute job rather than running an admin script.


In the container request:

"runtime_constraints": {
  "privileged": true

The effective user associated with container request must be an admin, otherwise the container request will be rejected.

crunch-run executes container with "Privileged: true"

Updated by Peter Amstutz over 7 years ago · 3 revisions