I am experimenting an
opportunistic workflow for CMS, in which condor starts in a
docker container using uCERNVM + Parrot.
basically, the image contains
just the kernel, and also /usr, /bin etc are provided via
CVMFS via Parrot.
One of the limitations of this
environment is thas setuid commands do not work (trapped by
Parrot), so eventually you are root and cannot become any