How Secure is Docker/LXC? Exploring the Limits of Root User Access

Short answer: Root on the docker container can break out of jail and compromise system.

Docker is meant to simplify the life of developers and sysadmins, not about containing programs isolated from each other. There’s some safety features backed in, but they are not the main intention. The idea is to ship a container with the application and every pre-requisite packed together and let the user start it without hassle, not to keep misbehaved users or applications in check.

There are some exploits that make possible to a user running root applications inside a container to break free from the container and compromise the host. Docker took some measures to fix those loopholes, but they are cumbersome to employ.

This Docker security article tells you to not let users load modules. To allow module loading you allow the user to easily break free of the jail. If you want security AND let people load modules, use a VM.

You can create light virtual machines using Xen, VirtualBox or Kvm, and they will be isolated from each other. You can give all your users root on the image, and they will not be able to mess with each other nor with the host system.

Leave a Reply

Your email address will not be published. Required fields are marked *