Was my biggest concern. Shortly after it got discovered was concluded that won't hit us. But we got a short time notice, in the case that it would be precisely calculated where it would land, and that be over/near a big city (even with the low odds of it), would be no way to stop it, and for some scale of cities 1 week of advice won't be enough (or will do by itself enough damage).
We should hope that bigger/more damaging rocks should be more visible and that we get aware of them with more anticipation, but in the other hand, we are using now the money that we could invest in detect or even avoid that kind of end of the world scenarios on saving banks of their own risk taking or creating new wars.
LXC existed for some years so far, and the same for containers and similar technologies in other platforms. What Docker added over lxc is adding the use of an unionfs for reusing/improving containers, a simple way to share them, and a simple but powerful command line utility and api to manage them.
There is nothing so special in sulphur, charcoal and salt peter, but do the right mix with them and you get something explosive (and used in revolutions, too)
You forgot to name OpenVZ too, that is older than Solaris Zones. And Docker is originally based on LXC, that have several years. But is more than just containers, the layered copy-on-write union filesystem have a lot of practical advantages, the git-like repository for images redefines app packaging and the simple api is flexible enough to spawn a lot of projects that improved the ecosystem a lot in the last year.
The idea of containers is that full virtualization requires too much resources. Put your apps in its own filesystem/network/users/processes/memory/etc in an efficient way (adding cow/union fs to the mix is one of the big advantages of docker) and you are running at basically native speed, using very little extra disk (i.e. 2 vms running ubuntu have the full copy of ubuntu each, even deduplication don't match the saving you do with different containers sharing the same base), and memory (just one kernel loaded, the memory you use is just the app one). You just can do far more density of "virtualized" applications in real or virtualized hardware than using VMs.
But as they run under the same kernel, you can run only linux apps with it (with vms you can run windows or *BSD), and have a bigger exposure area in the kernel than VMs. Adding this new security features should lower the risk of exploiting containers to get access to the main machine. The other alternative is to run multiple containers in VMs to lower exposure while maximizing application density, a bit of what Google does. And the fact that you can run containers in VMs mean that you can run them on AWS, google app engine and other cloud services that give you essentially VMs instead of bare metal.
Another option is to move VMs to the container advantages zone, like creating microVMs to run single applications (like in OpenMirage)
You can download Docker source code, compile it yourself, have your own image repository, and even copy just the dockerfiles to put big/complex installations under your supervision/control rebuiding/tuning them yourself
What docker does is provide a "walled garden" for applications from other people/companies running in your own servers/desktops, limiting what they can do with your system and data, like a lightweight VM. The focus of this article is how to impove the security of that "walled garden" even more.
What If, not exactly the classic xkcd comics, but worthy a book even if he don't expand even more the articles over what was posted in that site.
Subsurface ocean warming explains why global average air temperatures have flatlined since 1999, despite greenhouse gases trapping more solar heat at the Earth’s surface. “Every week there’s a new explanation of the hiatus,” said corresponding author Ka-Kit Tung, a UW professor of applied mathematics and adjunct faculty member in atmospheric sciences. “Many of the earlier papers had necessarily focused on symptoms at the surface of the Earth, where we see many different and related phenomena. We looked at observations in the ocean to try to find the underlying cause.”
What they found is that a slow-moving current in the Atlantic, which carries heat between the two poles, sped up earlier this century to draw heat down almost a mile (1,500 meters). Most previous studies focused on shorter-term variability or particles that could block incoming sunlight, but they could not explain the massive amount of heat missing for more than a decade."
Link to Original Source
The point of Docker and containers in general is that they are running at basically native performance. There is no vm, no virtualized OS, you run under the main OS kernel, but it don't let you see the main OS filesystem, network, processes and so on, and don't let you do operations risky for the stability of the main system. There is some overhead in the filesystem access (in the case of docker, you may be running on AUFS, device mapper, or others that will have different kind of impact in several operations), but still is a far cry from VMs using a filesystem on a file of the main system with its own filesystem driver.
When the only tool you have is a hammer, everything looks like a nail. Now police's only tool are military-grade weapons, intended to kill.
And sometimes the situation changes how people is, like in this Standford prison experiment
Add to that how police cover up miscarriages and that you can't film the police, is not just who watches the watchers, but who watches the watchers that have military-grade weapons in the streets and are abusing of them.