Docker is based on Linux namespaces.
The first thing which comes to mind is that Docker does not use user namespaces. Hence, the root within Docker is the same root as on the host side. Of course Docker papers over the issue by using apparmor and other tricks but this does not cure the issue itself.
Linux containers (LXC, libvirt-lxc, Docker) are shared kernel visualization. Every single kernel vulnerability will hit you hard.
In contrast to LXC and libvirt-lxc Docker lets you configure a lot of insane setups which are not secure. (But easy to setup)
Also keep in mind resource issues. If you setup your container in a wrong way
it my eat all your available file descriptors, all memory, etc...
(Because it is shared kernel)
Let's face it, the whole technology was not designed for sandboxing, more for
easy deployment of applications.
That said, I really love container and use them a lot in production with libvirt-lxc.
But I don't use them for sandboxing.
Linux containers (LXC, libvirt-lxc, Docker) are shared kernel visualization. Every single kernel vulnerability will hit you hard.
In contrast to LXC and libvirt-lxc Docker lets you configure a lot of insane setups which are not secure. (But easy to setup) Also keep in mind resource issues. If you setup your container in a wrong way it my eat all your available file descriptors, all memory, etc... (Because it is shared kernel)
Let's face it, the whole technology was not designed for sandboxing, more for easy deployment of applications.
That said, I really love container and use them a lot in production with libvirt-lxc. But I don't use them for sandboxing.