{"id":10,"date":"2025-11-22T16:16:02","date_gmt":"2025-11-22T16:16:02","guid":{"rendered":"https:\/\/ko4bep.net\/blog\/?p=10"},"modified":"2025-11-22T16:19:35","modified_gmt":"2025-11-22T16:19:35","slug":"why-docker-is-a-pain-in-the-ass","status":"publish","type":"post","link":"https:\/\/ko4bep.net\/blog\/index.php\/2025\/11\/22\/why-docker-is-a-pain-in-the-ass\/","title":{"rendered":"Why Docker Is a Pain-in-the-Ass"},"content":{"rendered":"\n

(And Why You\u2019re Totally Right to Hate It)<\/h2>\n\n\n\n

If you\u2019re dealing with containers and still have a shred of sanity, here\u2019s the brutal truth: Docker is less of a magical \u201csafe sandbox\u201d and more of a convenience-bait with a liability tag<\/strong>. Let\u2019s tear down the hype and get real about what this thing really brings \u2014 so you (and your users) can make an informed decision instead of blindly following the \u201ccontainerize everything\u201d evangelists.<\/p>\n\n\n\n

\n\n\n\n

1. The Broken Promise of \u201cIsolation\u201d<\/h2>\n\n\n\n

Docker likes to sell containers like they\u2019re neat little self-contained sandboxes. Reality? They share the host kernel.
For instance: the \u201cLeaky Vessels\u201d vulnerabilities demonstrate how a container could break out and compromise the host. :contentReference[oaicite:1]{index=1}
One recent critical bug, CVE-2025-9074 (CVSS 9.3), allowed a container on Docker Desktop to access the Engine API and launch new containers\u2014without requiring the Docker socket to be mounted<\/em>. That\u2019s full host compromise by design failure. :contentReference[oaicite:2]{index=2}
If you\u2019re relying on \u201ccontainers = safe\u201d you\u2019re working on sand.<\/p>\n\n\n\n

\n\n\n\n

2. Defaults Built for Convenience, Not Security<\/h2>\n\n\n\n

Running as root inside the container? Host volumes mounted indiscriminately? Docker socket (\/var\/run\/docker.sock<\/code>) handed to untrusted containers? These are not fringe cases\u2014they\u2019re default modes of operation for many users.
When you deploy tools for novice-to-intermediate users, deploying them inside Docker without<\/em> being explicit about this is asking for trouble.
Simply put: if you skip the hardening, you inherited a risk.
See the \u201cAttacker\u2019s Tactics and Techniques in Unsecured Docker Daemons\u201d paper: unsecured daemons = bad times. :contentReference[oaicite:3]{index=3}<\/p>\n\n\n\n

\n\n\n\n

3. The API That Acts Like It\u2019s Open Season<\/h2>\n\n\n\n

One of Docker\u2019s biggest sins: remote Docker API (especially on port 2375) exposed without authentication. Attackers have used this to spin up containers, mount host directories, drop cryptominers.
A new campaign cited by Akamai (Aug\/2025) shows this in action: malicious containers created via exposed API, mounting host filesystem at will. :contentReference[oaicite:5]{index=5}
If your deployment gives users \u201cpull-run-go\u201d with no API audit, you\u2019re handing them an open door with a welcome mat.<\/p>\n\n\n\n

\n\n\n\n

4. The Supply-Chain Sucker-Punch<\/h2>\n\n\n\n

You pull an image from Docker Hub and think \u201ccool, containerized, done.\u201d Wrong.
A study on base-image vulnerabilities found that many images inherit flawed foundations: \u201cWell Begun is Half Done: An Empirical Study of Exploitability & Impact of Base-Image Vulnerabilities\u201d. :contentReference[oaicite:6]{index=6}
Even worse: \u201cgh0stEdit\u201d research shows you can tamper with a signed image without invalidating the signature\u2014undetected malicious layers. :contentReference[oaicite:7]{index=7}
\u201cTrust but verify\u201d should be your mantra. With Docker, you might not even be getting that.<\/p>\n\n\n\n

\n\n\n\n

5. Bloat & Time-Bomb of Maintenance<\/h2>\n\n\n\n

Because many Dockerfiles are written for speed and convenience (just throw everything in), images inflate in size, dependencies pile up, attack surface grows.
If you\u2019re building a security tool, you don\u2019t want a 1 GB monster image filled with unnecessary libs-and-bins. One paper categorised bad base image practices as major exploit enablers. :contentReference[oaicite:8]{index=8}
Also: more tooling = more attack surface (engine, desktop, compose, orchestrator). If you aren\u2019t vigilant, you inherit the overhead.<\/p>\n\n\n\n

\n\n\n\n

6. Vulnerabilities Keep Piling Up<\/h2>\n\n\n\n

Containers are not invulnerable. They carry their own risks.
Docker\u2019s own security advisory shows a string of critical vulnerabilities: e.g., CVE-2025-9074 (Docker Desktop host compromise), CVE-2025-9164 (DLL hijack in installer) \u2026 :contentReference[oaicite:9]{index=9}
And the runtime level: new runC vulnerabilities allow container escape toward host via symlink or race conditions. :contentReference[oaicite:10]{index=10}
When your stack says \u201ccontainers = safe by default\u201d \u2014 misleading is a nice word.<\/p>\n\n\n\n

\n\n\n\n

7. Shared Kernel + Lazy Admins = Disaster Potential<\/h2>\n\n\n\n

The fundamental architectural issue: containers share the host OS kernel. A host-kernel exploit or privileged container \u2192 host takeover.
From French Wikipedia (yay) on Docker security:<\/p>\n\n\n\n

\n

\u201cLes conteneurs Linux n\u2019ont pas \u00e9t\u00e9 con\u00e7us comme un m\u00e9canisme de s\u00e9curit\u00e9 permettant d\u2019isoler les conteneurs non fiables \u2026 un exploit donnant des privil\u00e8ges root complets \u00e0 un conteneur peut permettre \u00e0 un attaquant de percer ce conteneur et de compromettre l\u2019h\u00f4te.\u201d :contentReference[oaicite:11]{index=11}
If your user base isn\u2019t firmly disciplined, you\u2019re basically trusting that \u201ceverything goes right\u201d instead of designing for \u201cwhat happens when someone screws up\u201d.<\/p>\n<\/blockquote>\n\n\n\n

\n\n\n\n

8. Real Incidents: People Got Hurt<\/em><\/h2>\n\n\n\n