[helper]

This is a really great exploration of this vulnerability.

It makes me sad that lxc doesn't get more love. LXC has had unprivileged containers as its default for 5+ years now. Its a really solid tool set that has mostly been passed over for lack of marketing.

[barbecue_sauce]

The reason Docker gets so much attention is its container image repository infrastructure. I'm sure LXC has something similar, but Docker's is built-in and has almost anything you can think of. (Of course, this presents other security/trust issues).

[bboreham]

Need to be careful that Docker and LXC both default to unprivileged, however they use the term to mean different things.

If you say “don’t run your containers as root on the host”, this matches the issue better.