[ventana]

That's true, the majority of people probably install software without much thinking; but it's also true that it's always better to have at least some high level understanding how the specific piece of software works. What access the given software has, will it send something over the network or work locally; that kind of stuff.

As for Docker, I would assume everyone who ever tried to bind-mount a volume for writing from inside the container (on Linux*) then were surprised to see root-owned files in their bind-mounted directory. For me personally, that was the moment I realized that containers, by default, have root access to the filesystem. No written warning serves better than the need to chown some root-owned files.

* Not on macOS. On macOS Docker basically runs in a VM, and there's no root access to the host filesystem from what I understand.

[edit: formatting]

[LeFantome]

Docker relies fundamentally on the Linux kernel. Since macOS does not have a Linux kernel, you have to run Linux in a VM first and then run Docker on top of that.

So, you may get filesystem access inside the VM. Breaking out of the VM may be a different matter.

[repelsteeltje]

Precisely. There is nothing preventing you from doing the same in Linux: rather than installing docker, install docker on a Linux VM (ie. using KVM).

Conversely, docker containers don't actually exist on MacOs. Docker desktop is merely a way to emulate docker on apple hardware.

[ethin]

I primarily use Incus for all container stuff, not Docker. Is problematic if I want to e.g. use a docker-compose file, but I (think) it protects against these things because incus allows me to create a vm and not a container if I really need that level of isolation.

[ethin]

What's the downvote for? Does someone really dislike Incus that bad?