POST /v1.16/containers/
0abe202395e4e61fc35f8f90e3432ad0f2fb
3d3816a79c367ff716ecb57965dc/resize?
h=24&w=107 HTTP/1.1	
Host: /var/run/docker.sock	
User-Agent: Docker-Client/1.4.0	
Content-Length: 0	
Content-Type: plain/text
"In the future, we expect new execution engine
plugins to offer more choice and greater
granularity for our security-focused users."
all this crap running as root
including the containers
ran by unprivileged (not any more) users
„trusted” images
https://titanous.com/posts/docker-insecurity
KISS
user namespaces
completely unprivileged* containers in kernel 3.9+
remaining setuid bits
lxc-user-nic a couple netlink packets
if you need a private net with CAP_NET_ADMIN
!
newuidmap a single write()
newgidmap
if you need multiple uids/gids
https://github.com/gnosek/shoebox
Docker rant
Docker rant

Docker rant