> The primary downsides to consider are efficiency of the system, and the complexity of managing it
This shouldn't be underestimated, though!
I agree that efficiency is a no-brainer for almost all purposes, especially compared to other forms of virtualization like KVM.
But: Managing the complexity can be tough, it sometimes feels like creating all low-level firewall rules by hand for a large network. Well, for firewalls you have stuff like firewall generators, in the context of containers these are projects like Docker or LXD. But they share the same downsides: You may have trouble to see what happens behind the scenes.
The largest risk here, however, is not the working time spent to learn and apply that stuff. It is a false sense of security where your complex system might, in the end, to have holes which you assumed should not exist.
For example, not many people are aware that if the user can start docker instances, they are effectively root.
(One might argue that this is more a failure of docker than of containers. But then, why do people use complex monsters like docker in the first place? Because managing plain containers is a pain and other complex building around containers have their downsides, too.)
This shouldn't be underestimated, though!
I agree that efficiency is a no-brainer for almost all purposes, especially compared to other forms of virtualization like KVM.
But: Managing the complexity can be tough, it sometimes feels like creating all low-level firewall rules by hand for a large network. Well, for firewalls you have stuff like firewall generators, in the context of containers these are projects like Docker or LXD. But they share the same downsides: You may have trouble to see what happens behind the scenes.
The largest risk here, however, is not the working time spent to learn and apply that stuff. It is a false sense of security where your complex system might, in the end, to have holes which you assumed should not exist.
For example, not many people are aware that if the user can start docker instances, they are effectively root.
(One might argue that this is more a failure of docker than of containers. But then, why do people use complex monsters like docker in the first place? Because managing plain containers is a pain and other complex building around containers have their downsides, too.)