Painless Docker - 2nd Edition

Container Breakouts and Privilege Escalation

A container is not a separate machine. It's a set of Linux isolation features (namespaces, cgroups, and security controls) around a normal process that still uses the host kernel. If the container is misconfigured (for example, privileged mode, overly broad Linux capabilities, unsafe mounts, or access to sensitive host interfaces), then a process that escapes the container may effectively gain host-level root.

A breakout occurs when a process running in a container manages to interact with the host outside its intended namespace boundaries, or abuses a kernel/runtime vulnerability to execute code or gain privileges on the host, or leverages dangerous configuration (mounts, device access, privileges) to modify host state.

If a breakout succeeds, the impact can range from:

• reading host files and secrets,
• controlling other containers on the same host,
• escalating into cluster-wide compromise (for example via orchestrator credentials),
• denial of service (host crash or resource exhaustion).

The most common "breakout-like" incidents are not zero-days. They're configuration mistakes, like:

• Mounting sensitive host paths into containers (especially /, /etc, /proc, /sys, or Docker runtime directories).