Comment Re:I feel like Rip van Winkle (Score 2) 48
I'll extend your answer with the "big picture" view: Docker (and it's Google-backed competitor, Rocket) provide isolation that's stronger than the traditional process model but weaker (and less resource-intensive) than the VM model.
It also introduces yet another packaging system (called "images") that has its own public repository of contributions that you (and any other malware author) can contribute to. For developers, the appeal is being able to bundle up an OS (sans kernel, operationally speaking) with their app and all of its dependencies into one file they push back up to this public repository (or a private one like Quay.io) without having to document an installation procedure for sys-admins. For sys-admins, the pipe dream is to push workloads around to whatever machines have the capacity without delving into the mess of individual apps. Of course, this requires a whole extra layer of additional tooling that doesn't come for free.
All that said... don't use it for security. It's not the same as a dedicated VM.