#Experimental privileged nesting

Hi ! I just wanted to know why does the reference says that ExperimentalPrivilegedNesting grants full access to the host filesystem. And one question leading to another, when is it useful to use that option ?

👋 not sure if that is still accurate given that we're not bind-mounting the buildkit soc anymore. cc @loud sonnet is this still valid?

I checked which sockets were open in a container running with that flag and I got the following output :

dagger /lib $ ss -a
Netid                State                 Recv-Q                Send-Q
[kernel stuff...]                         
tcp                  LISTEN                0                     4096                                     127.0.0.1:35801                                      0.0.0.0:*

So I guess that the buildkit socket is no longer mounted

I'm not sure what is the role of that flag actually

as you can see there it allows to run nested Dagger sessions

so within a withExec you can call dagger again if needed

It's inaccurate

(as far as I know)

yep, that's my assumption also. Waiting for Erik's 👀 to fix the docs

I actually suspect it was always inaccurate, and was meant for the next call in the list

I think it was there when the buildkit sock was mounted since having access to the raw buildkit socket allowed anyone to do nasty things 😬

Hmm ok I get it now

Thanks !

sure, np! will fix the dosc as soon as Erik verifies this

related: https://github.com/dagger/dagger/issues/9208

Yep it's very out of date, the security concerns are all gone

fixing 🙏

Oh man that makes me so happy

@loud sonnet you're on board for making it the default?

writing a comment on the issue, there's a subtly around caching to make a decision on, but as I'm writing it I'm convincing myself it'd be good to enable by default after a change to some caching logic

https://github.com/dagger/dagger/pull/10172

https://github.com/dagger/dagger/issues/9208#issuecomment-2807378556