Remove support for docker-in-docker, privileged and loopback-audio docker-worker features

jcristau · jcristau · commit 657207436dc5 · 2025-08-28T15:45:44.000+02:00
As far as I know they're unused at this point.  In addition:
- docker-in-docker involves talking to the docker daemon on the host,
  which has proven problematic as it bakes in dependencies on the docker
  daemon's version.  It's also dubious from a security perspective, and
  as far as I can tell doesn't work in generic-worker/d2g (it doesn't
  have a proxy to only allow "safe" commands)
- privileged is inherently problematic as it makes the task
  root-equivalent on the worker
- loopback audio these days is achieved with dummy devices at the
  pulseaudio or pipewire level, not at the kernel level
diff --git a/src/taskgraph/transforms/task.py b/src/taskgraph/transforms/task.py
@@ -496,9 +496,6 @@ def verify_index(config, index):
         Required("taskcluster-proxy"): bool,
         Required("allow-ptrace"): bool,
         Required("loopback-video"): bool,
-        Required("loopback-audio"): bool,
-        Required("docker-in-docker"): bool,  # (aka 'dind')
-        Required("privileged"): bool,
         # Paths to Docker volumes.
         #
         # For in-tree Docker images, volumes can be parsed from Dockerfile.
@@ -611,9 +608,6 @@ def build_docker_worker_payload(config, task, task_def):
     if worker.get("chain-of-trust"):
         features["chainOfTrust"] = True
 
-    if worker.get("docker-in-docker"):
-        features["dind"] = True
-
     if task.get("needs-sccache"):
         features["taskclusterProxy"] = True
         task_def["scopes"].append(
@@ -630,16 +624,11 @@ def build_docker_worker_payload(config, task, task_def):
 
     capabilities = {}
 
-    for lo in "audio", "video":
-        if worker.get("loopback-" + lo):
-            capitalized = "loopback" + lo.capitalize()
-            devices = capabilities.setdefault("devices", {})
-            devices[capitalized] = True
-            task_def["scopes"].append("docker-worker:capability:device:" + capitalized)
-
-    if worker.get("privileged"):
-        capabilities["privileged"] = True
-        task_def["scopes"].append("docker-worker:capability:privileged")
+    if worker.get("loopback-video"):
+        capitalized = "loopbackVideo"
+        devices = capabilities.setdefault("devices", {})
+        devices[capitalized] = True
+        task_def["scopes"].append("docker-worker:capability:device:" + capitalized)
 
     task_def["payload"] = payload = {
         "image": image,
@@ -1081,9 +1070,6 @@ def set_defaults(config, tasks):
             worker.setdefault("taskcluster-proxy", False)
             worker.setdefault("allow-ptrace", False)
             worker.setdefault("loopback-video", False)
-            worker.setdefault("loopback-audio", False)
-            worker.setdefault("docker-in-docker", False)
-            worker.setdefault("privileged", False)
             worker.setdefault("volumes", [])
             worker.setdefault("env", {})
             if "caches" in worker:
