...
In Open Horizon and all commercial distributions based on it, you have the ability to specify that a service should be deployed with privileged process execution enabled. By default, it is disabled. You must explicitly enable it in the Service Definition file to use it. And any agreement that is negotiated to run that service implies that the target nodes must also explicitly allow that in their Node Policy file.
DAB: I think we should explain why you have to enable it on the node in addition to the service def. I think it will be obvious that enablement in the service def is needed, but node enablement might be more shocking. The reason for requiring it on the node is because in OH, If you would like to learn more about the agreement process between nodes and services, please watch the short Patterns and Policies video.. This is an important concept to understand because a human operator cannot just deploy a service to a specific node. Instead, the node has a vote in the agreement negotiation process which is mediated by the AgreementBot. If the service definition or one of its dependencies requires privileged mode, the node policy must also allow privileged mode, or else an agreement will not be formed. The reason for requiring the node policy file to expliocitly enable privileged mode is because the node owner gets a say/vote in what runs on the node. This is the whole purpose of the node policy, to give the node owner agency in the decision about what runs there.
...