Security and isolation: Running non-root application in privileged-mode container

I read that Docker can be used as a security mechanism (to entirely isolate an application from the host system) as long as the application is not run with root privileges inside the Docker container.

I also read that if you run a container in privileged mode you basically give up any security/isolation benefits. Does this mean that even non-root apps run in privileged mode containers can be potentially harmful (security-wise) to the host system?

  • Docker (compose) and socket io - how to link containers
  • Accessing documentDB on host in docker contains
  • GitLab CI Runner, how to use volumes or mounts in service containers
  • Docker Compose raise an AccessDeniedExpcetion
  • Possible differences between 2 identical Docker containers
  • Is Docker image updated incrementally in production environment
  • Low-level Docker experts’ answers appreciated!

  • How I can run docker containers on the remote host?
  • How to make Nginx turn requests to the docker webapp in the same server
  • TCP receives packets, but it ignores them
  • Moving files into a Docker Data Volume
  • How can I add a file from my computer to a Docker container?
  • Handling database schema creation and migrations when launching multiple instances of a containerized microservice
  • One Solution collect form web for “Security and isolation: Running non-root application in privileged-mode container”

    The security details are discussed in this article, which is quite useful. The newly-released Docker V1.2.0 allows you to restrict capabilities for privileged containers using the “–cap-drop” and “–cap-add” options.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.