Docker just resolved a critical compatibility issue it had with most reasonably useful configurations of grsec... see https://github.com/docker/docker/issues/20303 which I opened, and https://github.com/docker/docker/pull/22506 which solved it.

I'm not sure why they went with pivot_root -- there's already code to deal with handling symlinks and all of their paths properly within Docker containers from the host (which I helped write and merged something like 2 years ago). I would've thought the obvious way of doing it would be to modify pkg/archive ...

Docker doesn't boot a kernel. It uses host kernel features. People who use alpine as a base for Docker images are just using the root filesystem from an alpine install.

That doesn't give you any improvement in the container by default. Only the host's kernel matters in case of grsec.

Does Docker boot a kernel?

Docker is just a beefed up wrapper around groups of processes on linux.

I know, but I've heard that it can run Linux on OS X, so I was wondering if it now boots kernels as well. Basically, Docker is ezjail with financial backing and PR.

On OSX its using a port of FreeBSDs virtualization bhyve aka xhyve to boot a Docker linux.