Totally. But the vast majority of containers I use do not get a bind mount to th... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		andbberger on Dec 29, 2017 \| parent \| context \| favorite \| on: Escaping Docker container using waitid() – CVE-201... Totally. But the vast majority of containers I use do not get a bind mount to the Docker socket... for which user namespaces would be a very nice feature.

zenlikethat on Dec 29, 2017 [–]

Yeah, definitely turn it on where possible, just important to realize that it's not a panacea (some people really hyped it up to be before the feature was released and criticized Docker for not having it at all). As always, gotta try and find the right sweet spot between convenience and attack surface.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact