[Diederich]

> solution architects from Amazon and he wasn't sure if Docker is ready for PII data.

I'm curious if you can relate what his reasoning was?

Docker is, among other things, a wrapper around a bunch of Linux kernel functions, the likes of which have been used for many, many years by companies like Google to facilitate all kinds of useful isolation.

[paulddraper]

I think it's pretty well agreed that multi-tenant Docker isn't a good security solution.

Use it for for operational isolation, not for critical security isolation.

[Diederich]

That's what I've heard as well, and I agree with that assessment, given that the requirement is to separate untrusted code execution.

At the same time, going back to the initial quote:

> solution architects from Amazon and he wasn't sure if Docker is ready for PII data

A lot of companies are using containers to execute code that manages all kinds of regulated data right now, ya?

The security limitations of Linux namespaces and friends are mostly related to the execution of untrusted code.