Shared kernel concern

Since containers share the same kernel, if one of them panics, everyone of them will panic too.

Privilege concern

if a user or application has superuser privileges within the container, the underlying operating system could, in theory, be cracked.¹

• This concern will no longer be valid in a few months

  Docker has been working on linux user namespace for a while now. And once this feature is completed. Then we can build a docker container without root privileges, and meanwhile in this container, we can still have enough privileges for us to do our job.

VM + Container

Hyper is a chinese startup project to make a lightweight virtual machine based on Docker images, which combines both advantages from container and VM.

• Its containers are isolated by VM. So it is immune from the "shared kernel" problem in containers.
• It's almost as lightweight as a container. So it's way more fast than a VM.
• Since it's a VM, you can choose your own kernel.

• Since in docker's world, we need to seperate each of our apps into a single docker image.
• We must keep our eyes on many different docker files.
• This can be a problem when our project becomes so much big.
• But in general you won't face this.