Make it possible to user Docker images with --privileged flag

Issue #16277 wontfix
Michael Beigelmacher
created an issue

I'm currently trying to use Pipelines to build a Singularity container (https://singularity.lbl.gov/docs-build-container) which will later either be pushed or a remote server or available as a download. I have a Docker image I'm using a build environment, however the when the step comes to build the Singularity container an error is thrown:

+ singularity build shiny.img shiny.def
Using container recipe deffile: shiny.def
Sanitizing environment
ERROR : Could not virtualize mount namespace: Operation not permitted
ABORT : Retval = 255
Cleaning up...

Apparently the way around this to run Docker with the --privileged flag (see https://github.com/singularityware/singularity/issues/632#issuecomment-296545074). After having spoken with support it's come to my attention this is currently impossible with Pipelines (see https://confluence.atlassian.com/bitbucket/run-docker-commands-in-bitbucket-pipelines-879254331.html). It would be useful to have this option available for builds in which it is required.

Comments (1)

  1. Aneita Yang staff

    Hi @Michael Beigelmacher,

    Thanks for reaching out and for the suggestion.

    For security reasons, we don't allow docker commands to be run with the --privileged flag. While this restrictions limits what a small number of users can achieve with Pipelines, the majority of use cases for using Docker commands are covered with what we currently support. This is a trade-off with Pipelines - Docker containers are fast to start and cheap to run, but certain jobs cannot be run safely in a container sandbox on shared infrastructure.

    Given that we don't have any plans to support privileged containers in Pipelines in the foreseeable future, due to our security architecture, I'm going to close off this issue.

    Aneita

  2. Log in to comment