1) Limit max processes on container; unfortunately docker seems intent on me not doing docker stupid tricks, so this is actually a bit of a pain on some systems… but if you figure out/etc/security/limits.conf, or can use prlimit (or write your own; use RLIMIT_NPROC instead of RLIMIT_NOFILE), you can do “prlimit –pid 666 –nproc=3:3” to limit the processes on the system to a very small number. Say… only what you’re running inside of it.
2) Start your container with a single threaded server (running as an unpriv’d user of course!)
3) Compromise #2, say with a buffer overrun, execute shell… and get “bash: fork: retry: Resource temporarily unavailable”. Can’t fork off anymore processes, denied!
Obviously attackers can do a zillion things other than simply executing another process… but not being able to execute anything on the (hopefully stripped down and hopefully one without bash anyway :)) container that’s listening to the big bad Internet is pretty nifty.
Docker can be a stupendous boon to security, you can do things you simply can’t do without it, not in the real world. Who cares about continuous integration? Docker is for security, dawg.
dan