Implement other docker runtime features

[dleehr]

As noted in

calrissian/calrissian/job.py

Line 253 in b4526af

# TODO: Determine if we can port --read-only, networkaccess, log-driver, --user

DockerCommandLineJob.create_runtime() builds up some additional docker command flags (read-only container filesystem, custom network access, matching user, etc)

Some of these may be necessary/appropriate. Should research/triage/implement as needed

[dleehr]

In some cases these arguments map to CWL features (network access), and in some cases they're not achievable on openshift without changing security contexts (--user). I think the first order of business is to document that calrissian does not support these CWL goals/features, but welcome contributions to address them.

[mr-c]

Running with --user is good to catch containers that require that the root user be used. It probably isn't necessary as long as you manage the file permissions (if needed).