The Container Needs Docker, So Mount the Socket and Run --privileged?
A CI job needs to build images and a teammate wants to bind-mount the Docker socket and run --privileged to fix permission errors. Defend the safe approach.
the decision you defend
A CI job inside a container needs to build images, and a teammate says just bind-mount /var/run/docker.sock and run the job with --privileged so it can do whatever it needs. What do you do, and why?
the situation
A containerized CI runner needs to build and push Docker images as part of the pipeline. The build step keeps failing with permission errors because there is no Docker daemon reachable from inside the job container, and the pipeline is blocked.
context
The CI jobs run in ephemeral containers on a shared runner host. A teammate proposes the quick fix: bind-mount the host Docker socket (/var/run/docker.sock) into the job container and add --privileged so it can do whatever it needs. The pipeline also builds pull requests from outside contributors, so code you do not control runs on this same runner.
How this challenge works
Take a position on the decision above and defend it. A senior-engineer AI will push back over up to 4 rounds. When you are done, you are scored against a verified rubric so you can see exactly what a complete answer covers - these are learning prompts, not gotchas.