From 657207436dc55f7f85d722e252009c3bea2f0537 Mon Sep 17 00:00:00 2001 From: Julien Cristau Date: Thu, 28 Aug 2025 15:45:44 +0200 Subject: [PATCH] Remove support for docker-in-docker, privileged and loopback-audio docker-worker features As far as I know they're unused at this point. In addition: - docker-in-docker involves talking to the docker daemon on the host, which has proven problematic as it bakes in dependencies on the docker daemon's version. It's also dubious from a security perspective, and as far as I can tell doesn't work in generic-worker/d2g (it doesn't have a proxy to only allow "safe" commands) - privileged is inherently problematic as it makes the task root-equivalent on the worker - loopback audio these days is achieved with dummy devices at the pulseaudio or pipewire level, not at the kernel level --- src/taskgraph/transforms/task.py | 24 +++++------------------- 1 file changed, 5 insertions(+), 19 deletions(-) diff --git a/src/taskgraph/transforms/task.py b/src/taskgraph/transforms/task.py index 09b8836d9..fc5761084 100644 --- a/src/taskgraph/transforms/task.py +++ b/src/taskgraph/transforms/task.py @@ -496,9 +496,6 @@ def verify_index(config, index): Required("taskcluster-proxy"): bool, Required("allow-ptrace"): bool, Required("loopback-video"): bool, - Required("loopback-audio"): bool, - Required("docker-in-docker"): bool, # (aka 'dind') - Required("privileged"): bool, # Paths to Docker volumes. # # For in-tree Docker images, volumes can be parsed from Dockerfile. @@ -611,9 +608,6 @@ def build_docker_worker_payload(config, task, task_def): if worker.get("chain-of-trust"): features["chainOfTrust"] = True - if worker.get("docker-in-docker"): - features["dind"] = True - if task.get("needs-sccache"): features["taskclusterProxy"] = True task_def["scopes"].append( @@ -630,16 +624,11 @@ def build_docker_worker_payload(config, task, task_def): capabilities = {} - for lo in "audio", "video": - if worker.get("loopback-" + lo): - capitalized = "loopback" + lo.capitalize() - devices = capabilities.setdefault("devices", {}) - devices[capitalized] = True - task_def["scopes"].append("docker-worker:capability:device:" + capitalized) - - if worker.get("privileged"): - capabilities["privileged"] = True - task_def["scopes"].append("docker-worker:capability:privileged") + if worker.get("loopback-video"): + capitalized = "loopbackVideo" + devices = capabilities.setdefault("devices", {}) + devices[capitalized] = True + task_def["scopes"].append("docker-worker:capability:device:" + capitalized) task_def["payload"] = payload = { "image": image, @@ -1081,9 +1070,6 @@ def set_defaults(config, tasks): worker.setdefault("taskcluster-proxy", False) worker.setdefault("allow-ptrace", False) worker.setdefault("loopback-video", False) - worker.setdefault("loopback-audio", False) - worker.setdefault("docker-in-docker", False) - worker.setdefault("privileged", False) worker.setdefault("volumes", []) worker.setdefault("env", {}) if "caches" in worker: