> Given that, what are the concrete reasons people still consider Docker unsafe?
Docker shares the same kernel as the host and is at risk of allowing container escapes and all it takes is for it to be exploited at the kernel level. [0]
As long as you run Docker on the host (which doesn't provide kernel isolation), the host will always be at risk of container escapes.
Thanks, that makes sense in general. Do you know if these vulnerabilities have actually been exploited in the wild?
(also, on macOS specifically, Docker runs inside a Linux VM, so the shared kernel is the VM's kernel, not the host's. Are there known escapes from containers to Docker Desktop VM to macOS host?)
> Given that, what are the concrete reasons people still consider Docker unsafe?
Docker shares the same kernel as the host and is at risk of allowing container escapes and all it takes is for it to be exploited at the kernel level. [0]
As long as you run Docker on the host (which doesn't provide kernel isolation), the host will always be at risk of container escapes.
[0] https://www.sysdig.com/blog/runc-container-escape-vulnerabil...
Thanks, that makes sense in general. Do you know if these vulnerabilities have actually been exploited in the wild?
(also, on macOS specifically, Docker runs inside a Linux VM, so the shared kernel is the VM's kernel, not the host's. Are there known escapes from containers to Docker Desktop VM to macOS host?)