Hacker News new | ask | show | jobs
by pritambaral 14 days ago
I hope you see the (IMO, obvious) problem.

1. Docker (or any Linux container runtime, for that matter) is not intended for, designed for, or effective as a security boundary. 2. Root containers run as root on the host. The "sandboxed" processes have full capabilities, as far as the kernel is concerned with them.
1 comments
ashishb 9 days ago
> 1. Docker (or any Linux container runtime, for that matter) is not intended for, designed for, or effective as a security boundary.

This has been discussed in detail earlier - https://news.ycombinator.com/item?id=47612726

Further, on Mac OS, you can use `--mode=native` for Mac's native sandboxing (seatbelt).

> 2. Root containers run as root on the host. The "sandboxed" processes have full capabilities, as far as the kernel is concerned with them.

That's not always the case. You can run rootless containers or you can use containerization like Podman which does not run as root.

link
pritambaral 5 days ago
> You can run rootless containers or you can use containerization like Podman which does not run as root.

Yes, now you get my point. Do you run rootless containers (with the Docker backed) or do you run "root" containers?

link