I'm no longer using a separate computer from my employer and containers' security always worried me. Using VMs is very cumbersome in my opinion.
I haven't used Docker in years, do you think it's safe enough now to install in your main computer (Linux host)? It's not like I'm going to test malware inside the containers but there's a lot of 3rd-party dependencies living there.<p>If you do trust Docker, what precautions would you take? Running without root is viable?<p>I'm aware of https://github.com/docker/docker-bench-security
Running without root is totally viable, it is in fact encouraged. Take a look at: <a href="https://docs.docker.com/engine/security/userns-remap/" rel="nofollow">https://docs.docker.com/engine/security/userns-remap/</a><p>I think the concern should be around what environment variables are required to run, what was in the base image, what volumes are mounted between container/host thus persisted through run's and don't mount /var/run/docker.sock! You should assume the container can be breached and make it as hard as possible to break out.
I think most people are ok running docker on their laptop / personal / work machines.<p>Running as non-root is totally viable, but root still seems to be the norm. You might look into configuring docker daemon to not open ports externally.
Container isolation based on a kernel that wasn't prepared for this never happened. It's like jails for BSD or cgroup for Linux IMHO. I have found one exploit valuable at $10K, capable of host escaping (RCE) that's still active based on the seller. You may be sceptical but don't forget this one: <a href="https://github.com/Frichetten/CVE-2019-5736-PoC?files=1" rel="nofollow">https://github.com/Frichetten/CVE-2019-5736-PoC?files=1</a>
My Debian VM starts in seconds. Last docker image I had to use was Ubuntu, and it was enormous. For local purposes, I didn't really see the point to using a docker container.<p>That, and I don't particularly trust overlay filesystems.
you can add extra safety like: <a href="https://gvisor.dev/" rel="nofollow">https://gvisor.dev/</a>
<i>"A container sandbox runtime focused on security, efficiency, and ease of use."</i>
running applications in docker is safer than not running in docker. if you want to run multiple applications, you can use lxc (linux containers) instead.