[JoachimSchipper]

Docker is not (designed to be) a security technology. Yes, rolling back servers/VMs/containers to their previous state is a good capability to have (although most of us just use backups for that!), but assuming that an attacker cannot break out of a container is, at least, optimistic.

[wepple]

> assuming that an attacker cannot break out of a container is, at least, optimistic.

Agreed. However as long as you don't look at it as your primary line of defense, it increases the cost to an attacker. And that's currently the best we can ever do.

[JoachimSchipper]

There are arguments - which are at least plausible - that the same effort is better spent on VM / Solaris Zones / FreeBSD jails / traditional chroot / SELinux / just using dedicated hardware for everything / ...; several of these have the advantage of not encouraging people to throw up a compartment (of some kind) and never update it again, which is certainly something that happens with Docker.