Docker multi tenant security

Why doesn’t Docker support multi-tenancy?
If a nonprivileged user in the docker group can use a container, why does he become root within the container? Can privileges be inherited ?

A nonprivileged user who can run docker run can trivially get root on the host.

docker run --rm -v /:/host busybox cat /host/etc/shadow
docker run --rm -v /:/host busybox sh -c 'echo myname ALL=(ALL:ALL) NOPASSWD | tee -a /host/etc/sudoers'
sudo ...

If you can docker run, you can specify your uid within the container, even if it normally runs as some other user

docker run --rm -it -u 0 --entrypoint /bin/bash any_image

Docker really isn’t suitable for use on a system where there are multiple users with shell access, unless you already give every user unrestricted sudo access.

What about where users dont normally have shell access? Is running web servers in a container a security risk?

It is probably more secure than running Web servers outside a container. Most of the Docker-specific risks are really around being able to run the Docker command or access the Docker socket. Correspondingly, you give all of that up if you give the container access to the host’s Docker (either by running Docker listening on a TCP port anywhere or by bind-mounting the Unix socket into the container).

One very specific statement here is that it’s common (though discouraged) for container processes to run as root, but Docker’s default setup disables most things containers could do to affect the host or other containers. A compromised, containerized, root daemon couldn’t reboot the host, steal the host’s password file, install a packet logger, etc. (unless the container had specifically been given those privileges otherwise).