Docker is great, but there is one security issue that it should solve. Right now, any user can manipulate any Docker container. If you create a container as root, then www-data can kill that container. The reason for this is because container orchestration is done through the Docker daemon, which listens on a TCP socket. Anybody on the local host can access that socket. They should, at the very least, implement password protection.
Today I also found out that it's not possible to run Docker inside Docker. :( I'm working on a Docker-based continuous integration system similar to Travis, and it would be great if I can distribute the CI system as a Docker container.
You can actually configure Docker to use an Unix socket instead of TCP[1]. It seems it still opens it up to every user (it runs a chmod 777 on it), but you can always enforce stricter controls (e.g. with SELinux).
I came across this wiki page last night. It doesn't support this out of the box, but it looks like there is a way to run docker inside of a docker container. It seems to take a good bit of customization though.
Today I also found out that it's not possible to run Docker inside Docker. :( I'm working on a Docker-based continuous integration system similar to Travis, and it would be great if I can distribute the CI system as a Docker container.