centersl/docker-docs
1
0
Fork 0
mirror of https://github.com/docker/docs.git synced 2026-03-29 23:38:56 +07:00
Code Issues Packages Projects Releases Wiki Activity
Files
bot/sync-cli-docs
docker-docs/content/manuals/security/faqs/containers.md
Sarah Sanders f77ddf3728 freshness: security and subscription (#23230) 
<!--Delete sections as needed -->

## Description
Final freshness updates for Security and Subscription pages. Apologies
ahead of time, it is a lot of file updates :')

Updates include:
- Major overhaul of ECI content (this could use the most review)
- Fine tuning of the rest of the docs in these sections (includes
consistency with headings/formatting, page structure, fixing passive
voice, simplifying)
- Deleted all content shortcodes 🥳 

_Vale errors can mostly be ignored unless you see something glaringly
wrong. I addressed all the typo/spelling ones, and added some terms to
accept.txt_

## Related issues or tickets
https://docker.atlassian.net/browse/ENGDOCS-2918

## Reviews

<!-- Notes for reviewers here -->
<!-- List applicable reviews (optionally @tag reviewers) -->

- [ ] Technical review
- [ ] Editorial review
- [ ] Product review

---------

Co-authored-by: Craig Osterhout <103533812+craig-osterhout@users.noreply.github.com>
2025-08-15 15:16:15 -07:00

1.8 KiB
Raw Permalink Blame History

title, linkTitle, description, keywords, weight, tags, aliases
title linkTitle description keywords weight tags aliases
Container security FAQs Container Frequently asked questions about Docker container security and isolation container security, docker desktop isolation, enhanced container isolation, file sharing 20
FAQ
/faq/security/containers/

How are containers isolated from the host in Docker Desktop?

Docker Desktop runs all containers inside a customized Linux virtual machine (except for native Windows containers). This adds strong isolation between containers and the host machine, even when containers run as root.

Important considerations include:

  • Containers have access to host files configured for file sharing via Docker Desktop settings
  • Containers run as root with limited capabilities inside the Docker Desktop VM by default
  • Privileged containers (--privileged, --pid=host, --cap-add) run with elevated privileges inside the VM, giving them access to VM internals and Docker Engine

With Enhanced Container Isolation turned on, each container runs in a dedicated Linux user namespace inside the Docker Desktop VM. Even privileged containers only have privileges within their container boundary, not the VM. ECI uses advanced techniques to prevent containers from breaching the Docker Desktop VM and Docker Engine.

Which portions of the host filesystem can containers access?

Containers can only access host files that are:

  1. Shared using Docker Desktop settings
  2. Explicitly bind-mounted into the container (e.g., docker run -v /path/to/host/file:/mnt)

Can containers running as root access admin-owned files on the host?

No. Host file sharing uses a user-space file server (running in com.docker.backend as the Docker Desktop user), so containers can only access files that the Docker Desktop user already has permission to access.

Reference in New Issue View Git Blame Copy Permalink