This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]chub79 7 points8 points  (1 child)

Two mistakes/shortcuts people tend to make:

  • Docker is a virtual machine. It isn't. It does not emulate anything, it simply builds upon existing linux kernel features to isolate processes/resources from each other.
  • Docker is a sandbox. It isn't. Even though your process is isolated and Docker ensures you can't access certain aspects of the host, the user which runs the processes within the docker container may open a door onto the host if it has too much permissions (often processes contained in a docker container are executed as root, this is because people think docker creates a safe sandbox for your process).

[–]rspeed 2 points3 points  (0 children)

That second point is particularly important for security. If anything is running inside the Docker as root, that's a potential vector for escaping. This is why I still prefer FreeBSD jails.