zlacker

> but a lot of docker containers are misconfigured or unnecessarily privileged, allowing for escape

Honestly, citation needed. Very rare unless you're literally giving the container access to write to /usr/bin or other binaries the host is running, to reconfigure your entire /etc, access to sockets like docker's, or some other insane level of over reach I doubt even the least educated docker user would do.

While of course they should be scoped properly, people act like some elusive 0-day container escape will get used on their minecraft server or personal blog that has otherwise sane mounts, non-admin capabilities, etc. You arent that special.

replies(3): >>fomine+3f >>cyphar+ut >>vultou+W11

>>milady+(OP)
I've seen many articles with `-v /var/run/docker.sock:/var/run/docker.sock` without scary warning

replies(1): >>boomli+MP

>>milady+(OP)
As a maintainer of runc (the runtime Docker uses), if you aren't using user namespaces (which is the case for the vast majority of users) I would consider your setup insecure.

And a shocking number of tutorials recommend bind-mounting docker.sock into the container without any warning (some even tell you to mount it "ro" -- which is even funnier since that does nothing). I have a HN comment from ~8 years ago complaining about this.

>>fomine+3f
What would the intended use case for that be?

replies(1): >>jp1919+lP2

>>milady+(OP)
Half the vendor software I come across asks you to mount devices from the host, add capabilities or run the container in privileged mode because their outsourced lowest bidder developers barely even know what a container is. I doubt even the smallest minority of their customers protest against this because apparently the place I work at is always the first one to have a problem with it.

>>boomli+MP
Diun