Security and isolation: Running non-root application in privileged-mode container

I read that Docker can be used as a security mechanism (to entirely isolate an application from the host system) as long as the application is not run with root privileges inside the Docker container.

I also read that if you run a container in privileged mode you basically give up any security/isolation benefits. Does this mean that even non-root apps run in privileged mode containers can be potentially harmful (security-wise) to the host system?

  • How to run executable jar in docker
  • Docker, EC2 and Rstudio
  • Access docker bridge using docker exec
  • Is it possible to run docker client in window server as done in Windows 7?
  • Docker container cannot access internet, only ping works
  • Running a single Docker Cloud's HAProxy container with SSL and non-SSL simultaneously
  • Low-level Docker experts’ answers appreciated!

  • Access to Docker container
  • Kubernetes Pod Creation Speed
  • How to run .NET unit tests in a docker container
  • Deleting docker volumes on Dokku
  • Create a local end-to-end development environment
  • Does my docker images need its own consul client instances?
  • One Solution collect form web for “Security and isolation: Running non-root application in privileged-mode container”

    The security details are discussed in this article, which is quite useful. The newly-released Docker V1.2.0 allows you to restrict capabilities for privileged containers using the “–cap-drop” and “–cap-add” options.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.