...
In Open Horizon and all commercial distributions based on it, you have the ability to specify that a service should be deployed with privileged process execution enabled. By default, it is disabled. You must explicitly enable it in the Service Definition file to use it. And any agreement that is negotiated to run that service implies that the target nodes must also explicitly allow that in their Node Policy file.
DAB: Is there a way that we can point directly at the privileged field here: https://open-horizon.github.io/anax/deployment_string.html instead of pointing to the service def, which indirectly points to this location.
DAB: I think we should explain why you have to enable it on the node in addition to the service def. I think it will be obvious that enablement in the service def is needed, but node enablement might be more shocking. The reason for requiring it on the node is because in OH, the node owner gets a say/vote in what runs on the node. This is the whole purpose of node policy, to give the node owner agency in the decision about what runs there.
Check your privilege
On a host machine, some tasks can only be performed by an account with root access. This means that the account you are currently logged in as is either the root account itself (generally not a good idea), or your account has acquired root-level privileges through `sudo`. Likewise, containers generally do not need privileged mode on the host: to be run as the root user or to have root-level access on the host computer.
...
Therefore, try not to use privileged containers. If you must, ensure they are thoroughly and continuously vetted for vulnerabilities. And ensure that privileged containers have a narrow scope for their duties ... meaning they should only perform a specific task.
DAB: Might also want to explicitly say that the service def should also be vetted to ensure that only necessary directories and devices on the host are mounted to the container. The audio2text example illustrates my point.
Why do we use it (what is it good for)?
...