A lot of focus has been put on the security of Docker lately, with it being the primary focal point of people like Red Hat’s Dan Walsh. File system protections such as read-only mount points (prevents containers from altering important system resources) and copy-on-write file systems (creates a separate file system for each container that is isolated) protect resources on the host and in other containers. Controlling kernel capabilities can prevent containers from making changes to vital core processes. Finally, name-spacing allows containers to be built in sand-boxed environments.
