Inportant Notes

DockEnv is a tool for developers and hackers who want to either try out untrusted code, or don’t have the time or resources to create a full environment.

But it is not a replacement for a proper production environment, and should not be treated as such.

Environments are ephemeral

Each time you run dockenv run you are getting a brand new environment. This means state does not carry over from one run to the next.

If you wish to preserve state, either use --writable-mount --mount /a/folder and write state to the folder, or create your own docker containers and go from there, as DockEnv is no longer for your use-case.

Malicious code can see what you pass into it

If you install a malicious package, it will be able to see any files you put into it using --mount, or anything else you type or pass into it.

However, the malicious code will not be able to see anything outside the environment, and it will only run for the lifetime of dockenv run.

Containers aren’t completely infallible

Unlike Virtual Machines, docker containers share parts of your host’s operating system in order to do some low-level things. But there is a strong separation between the Container and the Host, that will prevent the majority of malicious code from being able to breach the gap and read or alter data on your host machine.

However, a particularly nasty and persistent actor could still find a way to break out of the container. Care has been taken to mitigate most factors that can lead to an escape, but the possibility is still there.