www.youtube.com
WHY 2025 - Containing the Horror — A Critique on Docker & Co
Excerpt
We haven't finished. There is one key part missing to get Docker really working for us. That is our current user needs to be able to access the Docker communication check which is {ts:840} uh a Unix domain socket. It it's meant to never leave the system and that is quite for a reason. Docker by default runs as root. … Think of the dam tools and and x and whatnot. But this is ah I'm on the edge. Point being it's not quite working out. Um what is really infuriating is we do need to to {ts:1686} observe the the process we're running inside our containers. There are three file descriptors predefined that is very very Unix.
Related Pain Points
Docker Compose security audit and third-party file inspection
7Third-party Docker Compose files often contain security issues like unnecessary port exposures that compromise systems. Developers must manually inspect every file, but no tooling provides automated security validation.
Container entrypoint complexity and process termination
7Complex tasks hidden in single entrypoints cause containers to terminate unexpectedly. If the entrypoint process dies, the entire container fails, making debugging difficult and requiring workarounds.
Docker socket access and privilege escalation risks
7Docker runs as root by default and requires Unix domain socket access for communication. This creates privilege escalation risks and security considerations that developers must understand but are not well-documented.
Docker Compose version field incompatibility
6Modifying the Docker Compose version field can silently disable features. Advancing the version makes previously valid compose files invalid, and there's no clear migration path or warning system.