Security of Docker as it runs as root user

Question

A Docker blog post indicates:

Docker containers are, by default, quite secure; especially if you take care of running your processes inside the containe

Answer 1

You can reboot host machine by echoing to /proc/sysrq-trigger on docker. Processes running as root in docker can do this.

This seems quite good reason not to run processes as root in docker ;)

Answer 2

When you run as root, you can access a broader range of kernel services. For instance, you can:

• manipulate network interfaces, routing tables, netfilter rules;
• create raw sockets (and generally speaking, "exotic" sockets, exercising code that has received less scrutiny than good old TCP and UDP);
• mount/unmount/remount filesystems;
• change file ownership, permissions, extended attributes, overriding regular permissions (i.e. using slightly different code paths);
• etc.

(It's interesting to note that all those examples are protected by capabilities.)

The key point is that as root, you can exercise more kernel code; if there is a vulnerability in that code, you can trigger it as root, but not as a regular user.

Additionally, if someone finds a way to break out of a container, if you break out as root, you can do much more damage than as a regular user, obviously.