Rui Carmo
This is why I’ve been running LXC with apparmor on this box.
Of course I run my own container images, and of course apparmor is a
pain, but it saved my bacon the one time I had an outside breach on a
test container I instantiated from an old, vulnerable rootfs and forgot
to shut down late at night.
Still, nothing’s uncrackable. Even if this is suitably patched in Docker
1.0, there are sure to be other attack vectors.