[zmgsabst]

Docker has had security and isolation features since it was competing with LXC on who glued cgroups and namespaces together better — and discussed in those terms the whole time.

While I agree that Docker as written isn’t good at security, your post has big “they’re holding the iPhone wrong!” vibes — and seemingly ignores the historic reasons that people would think it provides security.

[beeboobaa3]

> your post has big “they’re holding the iPhone wrong!” vibes

More like "it just isn't meant to be used for that". At least not in the default configuration, and that's fine!

> seemingly ignores the historic reasons that people would think it provides security

I've been using docker since it was announced. People have always been very clear that docker is not a security boundary, at least not with its default configuration.

[zmgsabst]

> People have always been very clear that docker is not a security boundary, at least not with its default configuration.

I’ve also used it since the beginning and that’s some mighty strong revisionism.

Docker was compared to VMs — with a tiny asterisk of fine print that it’s not actually configured to employ security features it’s built with.

[beeboobaa3]

> Docker was compared to VMs

By certain people, yes. They have always been wrong. Never by the docker team themselves.

[gtirloni]

I think your point is valid. Docker was indeed all about developer productivity in the beginning and it's up to infrastructure operator to lock it down.