[calebbrown]

Author here.

It's running a Podman container (like Docker but daemon-less) with a GVisor runtime for isolation inside the docker container.

The outer container is privileged, but doesn't run any attacker controlled code.

But, yeah, seeing those two strings together in the same command is certainly amusing.

[metanull]

Hello! Cool project. Wonder why you need the —privileged for?

[calebbrown]

Thanks!

`--privileged` is needed to run the container inside a container.

e.g. https://www.docker.com/blog/docker-can-now-run-within-docker...

This is particularly useful for using Kubernetes to manage a cluster of instances.