Docker Container Security

Docker containers are not security boundaries, unless ran on top of firecracker or gVisor.

Containers aren't a sandbox:https://news.ycombinator.com/item?id=46405993

You should be assuming Docker is insecure until proven otherwise. Fully isolating a root user with a shared kernel is very difficult.

Not sure how secure this really is, because it's fairly easy to break out of a Docker container with the default settings (due to the fact that the kernel is shared between containers and the host, unlike with VMs). Rootless Docker (or better, Podman) would improve security greatly.

Docker containers aren't provably secure. If you want isolation, use a VM that doesn't have host file system access. This way, if the VM is compromised, just throw it away and it can't leak out the way containers do.

Please don't shrug this off so easily. With a vulnerability in the Docker daemon (an no software is 100% free of bugs) he is in more danger than before containerization.

Are Docker containers actually sensibly secure as sandboxes? I thought there were still some gaps that needed to be closed in the underlying tech for it to be as safe as virtualization?

Relying on containers for security is a recipe for none.

Docker is just a container and not a sandbox. There are no controls in the kernel to prevent something from leaving the container unless you enable restrictions outside of docker such as SELinux. There is a lot of development around SELinux+Docker right now.

How do people feel about using docker to prevent this sort of thing? Does it strike the right balance between usability and security?