I've been reading a bit on "Docker"
I ran into Docker reading
this article on CoreOS
it immediately piqued my interest: an application program ("app", for short) -- should run on an O/S seeing in its environment only itself
it will be interesting to find out if Docker can be profiled to restrict/limit access to resources-- file directories, network I/O, and such
theoretically DOCKER should be able to run every app as though each app were run using a separate TAILS thumb-drive O/S