On 6/13/19 4:14 PM, Gergely Debreczeni via HTCondor-users wrote:
There's a couple of reasons it is disabled by default in HTCondor. First, Docker Universe bind-mounts the condor scratch sandbox directory into the container. This allows condor filetransfer, condor_tail and other familiar condor tools and mechanisms to work. Without additional configuration, if we let the container run as root, a bad container could do things through the volume mount that show up in the host machine's filesystem. Second, at the time of Docker Universe creation, we weren't 100% convinced that a docker container running as root could escape to the host. There have been a couple of documented escapes, which the docker engineers have quickly patched.
If you trust your containers in your environment, on the worker node, you can set
DOCKER_DROP_ALL_CAPABILITIES = false
and then the containers will be able to run setuid binaries. Try setting this knob, and making your package installer inside your container (yum, apt-apt) sudo'able or maybe setuid, and you should be able to install package from within the container.