[eldondev]

Can you be specific about the other security methodologies docker rolls in? Everywhere I read, people say "LXC != VM-level security," specifically, I hear that root on the container means root on the host. These suse guys at least say "If you want to be secure, kvm is still your answer." : http://unixcal.com/s/a4mn . Thoughts?

[jpetazzo]

Root on the container doesn't mean root on the host. Machine-level virtualization has received more scrutiny than LXC, so as of today, many people consider traditional VMs to be more secure. But KVM or Xen are not intrinsically more secure than LXC or OpenVZ. They all have their histories of exploits and privilege escalations.

One key thing is, that it makes sense to run containers without root privileges (greatly improving security), while it is much harder to realistically run a VM without root processes. As a result, it could be said that containers are much safer, because before even thinking about breaking out of the container, you have to work on a root exploit - on a system which, by essence, only runs the processes that you really need, and has a much smaller attack surface.

We're working on a more elaborated answer, to be included within Docker docs!