Hacker News new | past | comments | ask | show | jobs | submit login

This is all true.

If a web application has a vulnerability that allows arbitrary code execution then Docker is only a mild help.

BUT, it can help migrate a certain set of security problems. It is a very simple way to provide pretty good protection against file-traversal type vulnerabilities, even when combined with privilege escalation.

People shouldn't view Docker as a security "silver bullet". But at the same time it does provide an additional layer of security, and that layer can be useful.

The Docker people have a good post[1] about the Docker security model, and they list two future improvements they see as important:

"map the root user of a container to a non-root user of the Docker host, to mitigate the effects of a container-to-host privilege escalation;"

and

"allow the Docker daemon to run without root privileges, and delegate operations requiring those privileges to well-audited sub-processes, each with its own (very limited) scope: virtual network setup, filesystem management, etc."

I think most people would agree these are important goal.

[1] http://blog.docker.io/2013/08/containers-docker-how-secure-a...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: