Why privileged mode is required to run isolate in a docker container?

[Md-Azib]

Seeing #https://github.com/ioi/isolate/issues/111 it seems that to run isolate in a docker environment privileged access is mandatory. This is also confirmed here in judge0 docker compose file. From what I understand, docker containers uses namespaces and cgroups for isolation but they don't require privileged access. Why do isolate need the same? I am facing this issue while trying to run isolate in a container environment in cloud where the cloud provider doesn't support running docker in a privileged mode due to obvious security reasons.

[gollux]

First of all, are you running Isolate with cgroup2 support (from the cg2 branch)? As far as I remember, cgroup1 does not support delegation of cgroup subtrees to non-privileged processes.

However, I do not run Isolate in Docker containers myself, so I do not know if there are any other obstacles. I do not think it is a good idea -- inside a container on a shared machine, you are not likely to get consistent time limits.

[Md-Azib]

I was using the cgroup1. I went through couple of other discussions around this. Like #https://github.com/ioi/isolate/issues/78. I will try to run cg2 in docker without privileges and post my findings here.

Definitely agree with your point on not having consistent time limits. But the use case I am trying to solve, I can afford it.

[maxkt]

@Md-Azib Hello! As someone who is curios if it's possible to run Isolate with cgroupsv2 in Docker without full host privileges, I wonder if you eventually managed to do it? Thanks in advance.