- It seems pretty easy to escalate oneself out of the docker container (I saw @joeyh do it, and I think it's been done multiple other times before)
- "verifying signatures" without doing so at all
- a container system which is closer to VMs in heaviness but seems to be mistaken by many for a solution where you want to dockerize a whole OS
... well, it's not a pretty picture. At least the Docker hype is exciting people about the possibility of other container solutions!
I am not interested in Docker/Rocker/etc. for security. I'm interested in people being able to deploy their own "OS" across a cluster while still keeping the hardware interface centrally managed via the outer OS. I fully intend to punch holes through the container for Infiniband, GPU access, etc. Security is managed elsewhere for my area's application.