[mrweasel]

> if one service gets compromised, and a root exploit is found, that's it game over.

For root exploits isn't Docker toast as well? I haven't followed Docker in much details, but does Docker actually promise that commands run as root will be contained?

[xorcist]

There is a certain level of isolation for root even inside containers, but in the case of a privilege escalation exploit you would most probably achieve "real" root even if inside a container.