We need the ability update images within a TC worker, but, to use docker within a container, it must be run with `-privileged`: https://blog.docker.com/tag/inception/ The task config should support a flag which enables this mode.

Putting a feature flag at: task.payload.features.privileged Makes a lot of sense to me. But I suggest that we require a scope, whenever this feature flag is set. Probably something like: `docker-worker:privileged:<provisionerId>/<workerType>` (ie. a scope-pattern covering this must be in task.scopes) Ideally, we should isolate task that needs -privileged to a specific workerType. But if we don't, it's certainly nice that there is a scope protecting the feature flag.

I am not against feature specific scopes but once we allow privileged you basically have complete access to the machine and it is not a good idea to use it for anything other then your one task... Potentially we should destroy the machines used in privileged mode after usage (particularly if the use case is building docker images).

If the use case is building docker images, then yes, we should cleanup by killing the worker node. But, it should be noted that there are other valid use cases for privileged. Such as access to special hardware like GPUs. And in some ways it really just signifies an increased level of trust.

privileged flag is available for docker-worker as of: https://github.com/taskcluster/docker-worker/commit/f6a9cad669dadbc1f8034abaf927d178fc8ecd31#diff-af02ac312a10ad7d038707b65a14a7ab This must be both enabled on the worker level as well as within a task.