There is one thing i am not certain how do docker suppose to solve. As i know that docker is suppose to provide isolation between the containers and the OS. so it will not allow the user to access files that is not within the containers. But how do i prevent docker to mount those files?

in most of my old deployment, i have isolation in user level permission. so i can simply use chmod/chown to isolate the general user to access certain files, but as docker have to be run as root, which mean if I allow user to use docker then it will have full access to full system’s files. how is docker aim to prevent that and what is the best practices in term of security to deal with it?

Docker containers don’t have to be run as root. You can specify another user id at runtime with the -u option to the docker run or docker create command. Additionally, there is a USER directive in the Dockerfile.

Additionally, the 1.10 rc1 that is out now has support for user namespacing. This will make it so that uid 0 inside the container isn’t going to be uid 0 on the host. There’s a blog post here about it: https://integratedcode.us/2015/10/13/user-namespaces-have-arrived-in-docker/