mount /var/lib/docker with the nosuid flag
This issue is split from #218 (closed).
/var/lib/docker should mounted with nosuid on the worker nodes, and (if possible, i am not sure of the side effects) on the sid node.
There may be some effects on the old allgo instance (rails), I am not sure whether we can implement that while the old allgo is still online.