Privileged containers¶

Proposal: admins can submit containers than run with elevated privileges. This will allow for certain operations such as Docker-in-Docker that are disallowed with normal container privileges.

Design¶

In the container request:

"runtime_constraints": {
  "privileged": true
}

The effective user associated with container request must be an admin, otherwise the container request will be rejected.

crunch-run executes container with "Privileged: true"