CVE-2019-5736: runc container breakout

Which I would guess is > 99% of all docker installations.

If I understood it correctly you need to enable user namespaces in your docker installation before creating the first container.

After you have done that, containers will be created as unprivileged by default. But by using an option you can still create privileged and "super-privileged" containers.

I fear that having to start with a fresh installation is a quite high hurdle for many existing installation. And because it is not the default 99% of the new installations will enter the same dead end.

How many of the existing docker images would work in an unprivileged container? I have no experience on that. But I have used unprivileged containers under lxc before and it required nearly endless fiddling to get any sharing with the host working as desired without opening all gates. So I would not have high hopes that existing docker images would just run, unless they really don't share anything that makes uids visible.

I agree unprivileged containers should be used in many cases. But I predict it will not happen any time soon, because of the complications and extra work involved.