quantum5.ca

Docker considered harmful - Quantum

3/18/2025Updated 4/3/2026

Excerpt

This may seem extreme, but fundamentally, this boils down to several things: 1. The Docker daemon’s complete overreach; 2. Docker’s lack of UID isolation by default; 3. Docker’s lack of … ^2^… it’s quite likely for the container to be running as the user you are logged in right now! Isn’t that comforting? You can turn on UID namespaces, but the process is super painful and doing so wipes out the entire Docker state, requiring *all* images and containers to be recreated. It can also only have one UID namespace for all containers running under the same Docker daemon, which isn’t what I’d consider sufficient isolation between containers.

Source URL

https://quantum5.ca/2025/03/18/docker-considered-harmful/

Related Pain Points

Docker UID isolation not enabled by default, configuration painful

Docker containers run as the logged-in user by default, creating security risks. Enabling UID namespaces requires a painful process that wipes all Docker state and recreates all images/containers. Additionally, only one UID namespace can be configured per Docker daemon, limiting inter-container isolation.

securityDocker