Re: I feel for the guy, but..
weeell, one would think that because in theory yes, that's what it says on the docker tin. But in practice, it works a bit differently. Docker isolation is a double edged sword, especially if your app depends on another upstream app which doesn't upgrade or alternatively, upgrades itself in a way that breaks YOUR application, because then it's again your problem. The Isolation concept of docker primarily benefits you with regards to the multiple parts of your application being isolated from one other.
Let's assume - for example - that you have two scenarios: in scenario 1, your app depends on an upstream app which has not been upgraded against a known and publicized security vulnerability and in scenario 2, the upstream app has been upgraded but in a way which - if applied - breaks your app.
Docker Isolation enables you to have the particularly undesirable choice of either continuing running your app in a configuration which you know to be unsafe or in a configuration you know to be safe but unstable or non productive/offline
Docker Isolation would be fulfilling it's job perfectly in this scenario - you are insulated as long as you do not change anything in your current setup - security vulnerabilities and all, which is of course a less than ideal situation.
Biting the hand that feeds IT
