I've been reading a bit on "Docker"

I ran into Docker reading this article on CoreOS

it immediately piqued my interest: an application program ("app", for short) -- should run on an O/S seeing in its environment only itself

it will be interesting to find out if Docker can be profiled to restrict/limit access to resources-- file directories, network I/O, and such

theoretically DOCKER should be able to run every app as though each app were run using a separate TAILS thumb-drive O/S

I've heard it compared to BSD "jails" for Linux, but I have no experience with it. It seems to be the new cool toy.

A web search for "docker linux" will turn up many articles.

to me, the Real Issue with a Studio Workstation (aka "Desktop PC") is that when the owner logs on his|her credentials are then used by every app program launched. you might want to control access to a finer degree: for example you might want to restrict your web browser to accessing only the /Documents area and excluding the /Documents/Correspondence area .

this I understand can be done using AppArmor provided the user can and will make the effort to edit the access control profile. JavaScript isn't supposed to go ferreting around your directories anyway, but-- "WebApps" have been gaining a lot of steam lately

I fiddled around using AppArmor when I was using Ubuntu 12.04LTS but it was hard to really understand the profiles that were generated. a good GUI editor for AppArmor profiles would be great.

one of these days I gotta figure out how to write GUI stuff in C ...

Docker is a next steps from LXC (cgroups). It is nothing different as LXC via libvirt and some additions/automations.