Are Docker containers actually sensibly secure as sandboxes? I thought there were still some gaps that needed to be closed in the underlying tech for it to be as safe as virtualization?
It's a lot better than no attempt at sandboxing, but ultimately you're still at the mercy of a late addition to the linux kernel (cgroups), which isn't exactly the safest codebase to make major changes like this in.
Denial of Service attacks are probably more straightforward than in a virtualized environment; I'm sure you could find a way to starve the kernel for something.
That said, there's currently no trivial "now I'm root on the host box" option or anything.
I've said this elsewhere in the thread, but this is not better than "no sandboxing". "No sandboxing" doesn't run applications as PID 0 in the host kernel.
Please stop repeating this. Docker is not a security tool, apparently by their own decision. It hurts people to have that be part of the common knowledge.
"Docker does not support user namespaces"[1] so root inside a container == root on the host. Getting security right with user namespaces is hard though[2].
And as another commenter pointed out, you can't give a user permission to actually start a docker container without also giving them root access to the host.
For my part what I care most about with Docker is not the ability to run something I don't "trust". That is, I would not trust or expect it to be safe enough to run code I expect to be malicious.
For me it's about creating a setup that is far more easy to reproduce in the face of e.g. system upgrades, setting up a new machine, as well as protection against stupid mistakes, and about containing state.
