Description of problem: Docker gives access to host /sys. This is expected as some apps requires /sys and one would expect it's protected (in --privileged=False). Well, is it? After first round directly on HW (resulting in crashed X and lost of all work) I switched to qemu vm: My first game was echo disk > /sys/power/state. It fails with: sh: write error: Operation not permitted Than I tried the same in while loop: ... PM: Cannot find swap device, try swapon -a PM: Cannot get swap writer PM: Cannot find swap device, try swapon -a PM: Cannot get swap writer PM: Cannot find swap device, try swapon -a PM: Cannot get swap writer ... Which significantly slowed the VM response. When I tried the same and connect using ssh, it was almost unusable and after couple of seconds hanged the whole VM (ctrl+alt+delete not working) Version-Release number of selected component (if applicable): qemu machine running F19: docker-io-0.9.1-1.fc19.x86_64 kernel-3.12.8-200 How reproducible: Always Steps to Reproduce: 1. Just play with /sys Actual results: Most stuff works even in non-privileged mode Expected results: Docker should prevent hazardous interaction with the machine (suspend, cpu settings, ...) Additional info: The docker-io-0.10 behaves even weirder, I'll fill separate bugzilla for it.
/sys is mounted read/only in docker-io-0.11.1-1.fc19