nextflow-io · bentsherman · Jul 27, 2023 · Aug 2, 2023 · Oct 9, 2023 · Oct 9, 2023
@@ -538,6 +538,14 @@ The following settings are available:
 `docker.fixOwnership`
 : Fix ownership of files created by the docker container.
 
+`docker.fusionOptions`
+: :::{versionadded} 23.01.0-edge
+  :::
+: :::{versionchanged} 23.08.0-edge
+  The default options were changed from `'--rm --privileged'` to the current default.
+  :::
+: The extra command line options to be used with Fusion (default: `'--rm --device /dev/fuse --cap-add SYS_ADMIN --security-opt apparmor:unconfined'`).
+
 `docker.legacy`
 : Use command line options removed since Docker 1.10.0 (default: `false`).
 
@@ -1108,6 +1116,14 @@ The following settings are available:
 `podman.envWhitelist`
 : Comma separated list of environment variable names to be included in the container environment.
 
+`docker.fusionOptions`
+: :::{versionadded} 23.01.0-edge
+  :::
+: :::{versionchanged} 23.08.0-edge
+  The default options were changed from `'--rm --privileged'` to the current default.
+  :::
+: The extra command line options to be used with Fusion (default: `'--rm --device /dev/fuse'`).
+
 `podman.mountFlags`
 : Add the specified flags to the volume mounts e.g. `mountFlags = 'ro,Z'`.
 

diff --git a/modules/nextflow/src/main/groovy/nextflow/container/ContainerConfig.groovy b/modules/nextflow/src/main/groovy/nextflow/container/ContainerConfig.groovy
@@ -87,8 +87,10 @@ class ContainerConfig extends LinkedHashMap {
         final eng = getEngine()
         if( !eng )
             return null
-        if( eng=='docker' || eng=='podman' )
-            return '--rm --privileged'
+        if( eng=='docker' )
+            return '--rm --device /dev/fuse --cap-add SYS_ADMIN --security-opt apparmor:unconfined'
+        if( eng=='podman' )
+            return '--rm --device /dev/fuse'
         if( eng=='singularity' || eng=='apptainer' )
             return null
         log.warn "Fusion file system is not supported by '$eng' container engine"

diff --git a/modules/nextflow/src/main/groovy/nextflow/k8s/K8sTaskHandler.groovy b/modules/nextflow/src/main/groovy/nextflow/k8s/K8sTaskHandler.groovy
@@ -249,7 +249,8 @@ class K8sTaskHandler extends TaskHandler implements FusionAwareTask {
         }
 
         if ( fusionEnabled() ) {
-            builder.withPrivileged(true)
+            builder.withDevices(['/dev/fuse'])
+                    .withCapabilities(add: ['SYS_ADMIN','MKNOD','SYS_CHROOT','SETFCAP'])
 
             final env = fusionLauncher().fusionEnv()
             for( Map.Entry<String,String> it : env )

diff --git a/plugins/nf-wave/src/main/io/seqera/wave/plugin/cli/WaveDebugCmd.groovy b/plugins/nf-wave/src/main/io/seqera/wave/plugin/cli/WaveDebugCmd.groovy
@@ -118,7 +118,7 @@ class WaveDebugCmd {
 
     protected WaveRunCmd buildWaveRunCmd(String scheme) {
         final result = new WaveRunCmd(session)
-        result.withContainerParams([tty:true, privileged: true])
+        result.withContainerParams([tty:true])
         if( scheme=='s3' ) {
             result.withEnvironment('AWS_ACCESS_KEY_ID')
             result.withEnvironment('AWS_SECRET_ACCESS_KEY')