[dragonwriter]

As I understand it, Docker isn't intended to be, and shouldn't be relied on as, a security sandbox.

It creates boundaries, but, like a typical suburban garden fence, they aren't hardened security boundaries.

[viraptor]

You've got two cases here: breaking out of default Docker config, or breaking out of kernel namespaces. The first one is very common now and really well tested. The second one is definitely security sandbox worthy. Docker also integrates with selinux and seccomp.

Basically what I'm saying is, it's very much a security boundary. It's far from a decorative fence.

[kccqzy]

Breaking out of a docker container with default settings is hard. You would be making the headlines if you could do so.

Now breaking out of a docker container with --privileged or even just CAP_SYS_ADMIN is much easier.

[shakna]

There was a CVE in February [0][1] that escaped out of Docker's default settings. runc has a few of these over the last few years, it isn't inconceivable that there are more to be found.

Docker does do a decent job of setting some sensible defaults - but it isn't a security sandbox and they don't market it as such.

[0] https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-fr...

[1] https://seclists.org/oss-sec/2019/q1/119

[kccqzy]

The very fact that there's a CVE for breaking out of docker shows that it's a big deal :)