You can use authorization plugins to control what commands are allowed.
However generally you don't give people access to run any docker command in production, you have some system that lets them deploy containers with predetermined settings, which don't include being able to set --privileged or add capabilities or change security policies.
In production, you usually don't want to have users running around and spawning containers anyway. You will likely have an orchestrator like Kubernetes or Mesos or Swarm, who will be running as root and spawning containers for you.
Of course, that just replaces the question of "how is access to the docker daemon secured?" with "how is access to the orchestrator API secured?".
How about something that isn't spawned by an orchestrator - for instance the marathon load-balancer - they provide only a docker image which clearly is meant to be run using `docker run`
You are right that docker currently runs as root. There is some phenomenal work that Aleksa Sarai is doing on getting runc to work as an unprivileged user [1] that Docker should be able to take advantage of at some point. There are still a lot of places which need love without root in the Docker world, but it's a huge step forward.
I would of though that if you want to restrict developer from doing that you would add commands to the sudoes file? isn't that the whole point of sudo?
Correct me if I'm wrong, I'm interested to know? I'm currently looking into docker and the advantages it brings to deployment instead of using a VM.
From my experience, whoever is running docker seems to be able to run root commands on the host [1].
So any best practices for running docker ?
[1] http://reventlov.com/advisories/using-the-docker-command-to-...