Hacker News new | past | comments | ask | show | jobs | submit login

Docker is the industry-accepted standard to run web applications as root.



It's unfortunate that Docker still doesn't use user namespaces.


No, they are new and have had many security issues. Just run your containers not as root, you can use capabilities if you like.


But certain namespaces cannot be created without CAP_SYS_ADMIN. Sure, you can drop privileges later, but a privilege escalation exploit in the container gives the attacker root access outside of that container, too. Sure, user namespaces have had issues, but they seem a hell of a lot safer than no isolation at all. Furthermore, user namespaces allow unprivileged users to create containers, too, which is particularly exciting.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: