Privileged containers » History » Version 3
Peter Amstutz, 03/22/2017 06:23 PM
| 1 | 1 | Peter Amstutz | h1. Privileged containers |
|---|---|---|---|
| 2 | |||
| 3 | 3 | Peter Amstutz | Proposal: admins can submit containers than run with elevated privileges. This will allow for certain operations such as Docker-in-Docker that are disallowed with normal container privileges. For example, migrating Docker images relies on Docker-in-Docker (by installing Docker 1.9, loading the image, upgrading Docker, and then exporting the upgraded image). It may be easier for users to run a compute job rather than running an admin script. |
| 4 | 1 | Peter Amstutz | |
| 5 | h2. Design |
||
| 6 | |||
| 7 | In the container request: |
||
| 8 | |||
| 9 | <pre> |
||
| 10 | "runtime_constraints": { |
||
| 11 | "privileged": true |
||
| 12 | } |
||
| 13 | </pre> |
||
| 14 | |||
| 15 | The effective user associated with container request must be an admin, otherwise the container request will be rejected. |
||
| 16 | |||
| 17 | crunch-run executes container with "Privileged: true" |