Decide if we can live with d-in-d

[OliverWoolland]

Running Funnel in the stack means that we have to docker-in-docker to run jobs (per funnel defaults)

Since this adds the risk of container breakout - this leads to a few interesting decisions needing to be made

1. Is a demonstrator really a demonstrator? i.e. will never be used in production on a real system with real data? if so rootless dind seems safe enough to me. Nice and easy to deploy, self contained (ha) and simple
2. If we are using real data / in production - does changing execution environment help sufficiently? e.g. swap docker for slurm are we ok? (maybe not if it still runs containers...)
3. If we swap docker for slurm do we then run containers using something like singularity / apptainer?

All views welcome! @stain @alexhambley @elichad very keen to hear your thoughts - will be a balancing act this I think

[OliverWoolland]

Or maybe Funnel just runs singularity jobs rather than docker and we call it a day... dunno

[prquinlan]

Worth a discussion with the wider group. As stated in the docs though, the 'all in one' is meant as a very quick and simplistic approach - not meant for production

[OliverWoolland]

Agreed - which is why we think it would be good to include Funnel in the stack even if there are trade-offs