[MyDogHasFleas]

Pavlicek's article takes the form of "Docker is a lightweight VM. It is not as secure as hypervisor-based VMs. Hypervisor ecosystems can and are getting more lightweight, and so maybe they'll win the battle."

Framing the discussion this way is of course a false dichotomy as jpgvm ably points out.

However, I would not start out by pointing out the technical issues with the article. I would start by viewing this article is as technical competitive marketing material, rather than as an attempt to have a serious technical discussion about VMs and containers. Russell Pavlicek is the lead Xen technical evangelist.

[walterbell]

Could you recommend an independent serious technical article which is written by someone not involved in either the container or hypervisor community?

Edit: Previous comment from Docker maintainer, https://news.ycombinator.com/item?id=7910117

"Hi all, I'm a maintainer of Docker. As others already indicated this doesn't work on 1.0. But it could have. Please remember that at this time, we don't claim Docker out-of-the-box is suitable for containing untrusted programs with root privileges. So if you're thinking "pfew, good thing we upgraded to 1.0 or we were toast", you need to change your underlying configuration now. Add apparmor or selinux containment, map trust groups to separate machines, or ideally don't grant root access to the application. Docker will soon support user namespaces, which is a great additional security layer but also not a silver bullet! When we feel comfortable saying that Docker out-of-the-box can safely contain untrusted uid0 programs, we will say so clearly."