[andrewguenther]

I think the problem here is that people seem to assume that "application isolation" is synonymous with "security isolation." Your statement is true, the vulnerabilities are the same, but people don't seem to get that there is no "security story" for containers in the first place. That isn't their job.

[iguyking]

Isn't one of the claims that if you patch the main OS (without changing the libraries..just patch like you would normally) with a new base image, that with the dockerfile you could re-setup the application in a matter of minutes?