[kccqzy]

Breaking out of a docker container with default settings is hard. You would be making the headlines if you could do so.

Now breaking out of a docker container with --privileged or even just CAP_SYS_ADMIN is much easier.

[shakna]

There was a CVE in February [0][1] that escaped out of Docker's default settings. runc has a few of these over the last few years, it isn't inconceivable that there are more to be found.

Docker does do a decent job of setting some sensible defaults - but it isn't a security sandbox and they don't market it as such.

[0] https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-fr...

[1] https://seclists.org/oss-sec/2019/q1/119

[kccqzy]

The very fact that there's a CVE for breaking out of docker shows that it's a big deal :)