Docker 1.9 supports all other namespaces, cgroups, pivot_root, cap drop, selinux, apparmor, uid/gid drop.
You can also sign and verify all images with a built-in Notary/TUF implementation, and we partnered with Yubico to support hardware signing out of the box. I'm hoping we can make image signing the default in the near future, and make it mandatory within the year.
At this point I'm comfortable saying Docker's security story is strong (although not perfect of course). But if you have specific suggestions for improvements we are interested!
EDIT I got it wrong userns is still experimental and will land in 1.10
Seccomp and user namespaces are in the Docker experimental build (https://docker.com/experimental) and should land in 1.10.
Docker 1.9 supports all other namespaces, cgroups, pivot_root, cap drop, selinux, apparmor, uid/gid drop.
You can also sign and verify all images with a built-in Notary/TUF implementation, and we partnered with Yubico to support hardware signing out of the box. I'm hoping we can make image signing the default in the near future, and make it mandatory within the year.
At this point I'm comfortable saying Docker's security story is strong (although not perfect of course). But if you have specific suggestions for improvements we are interested!
EDIT I got it wrong userns is still experimental and will land in 1.10