The container industry's dirty secret: Docker was never designed for production.
13 Years of Band-Aids
Docker launched in March 2013 with a revolutionary idea: package your app and its dependencies together. Great for development. Catastrophic for production.
The Timeline of Damage Control
| Year | What Happened |
|---|---|
| 2013 | Docker launches. Anyone can publish anything. |
| 2014–2018 | Public registry fills with malicious, bloated, abandoned images |
| 2019 | Rate limiting introduced (too late) |
| 2022 | Docker Scout: "Scan your images to see how bad they are" |
| 2023 | Docker Verified Images: Pay for safety |
| 2024 | Verified Images go free (couldn't monetize security) |
| 2026 | 10,000+ malicious containers still live in Docker Hub |
Docker's solution to bad containers? More tools to show you how bad they are.
The 12-Factor Betrayal
The 12-Factor App methodology defined how to build production-ready software. Docker images routinely violate nearly all of them:
| 12-Factor Principle | Docker Reality |
|---|---|
| Config in environment | ✗ Baked into image layers |
| Dev/prod parity | ✗ Dev deps ship to production |
| Disposability | ✗ Stateful containers everywhere |
| Port binding | ✗ Hardcoded ports, privilege escalation |
| Backing services | ✗ Databases bundled in app images |
| Build, release, run | ✗ All three mixed in Dockerfiles |
| Concurrency | ✗ Fat single-process containers |
| Logs as streams | ✗ Logging frameworks baked in |
Docker didn't just ignore 12-factor. They made it harder to follow.
The Production Gap
What Docker Optimizes For
- ✓ "It works on my machine"
- ✓ Quick demos
- ✓ Dev environment parity
- ✓ Onboarding new developers
What Production Requires
- ✗ Supply chain verification (Docker: anonymous publishing)
- ✗ Minimal attack surface (Docker: 500MB+ "slim" images)
- ✗ Runtime security (Docker: root by default)
- ✗ Auditability (Docker: layer squashing hides history)
- ✗ Trust hierarchy (Docker: none until 2023, still optional)
Volt: Production-First Design
| Concern | Docker | Volt |
|---|---|---|
| Trust | Anonymous publishing, scan later | GPG circle of trust, verify before deploy |
| Image size | 500MB "slim" images | 15–50MB production images |
| Security | Root default, privilege escalation | Landlock + capability dropping |
| Supply chain | 10k+ malicious images live | Cannot publish without verified identity |
| Runtime | containerd + shim overhead | systemd-nspawn direct execution |
| Startup | 2–5 seconds typical | 5ms average |
| 12-Factor | Actively violated | Enforced by architecture |
The ArmoredGate Position
Docker is a development tool. Production deserves better.
We're not anti-Docker. Use it for:
- Local development
- CI/CD builds
- Quick prototypes
But when code hits production:
- Convert with Volt Studio
- Deploy with Volt
- Trust with GPG Circle of Trust
The Numbers
| Metric | Docker | Volt |
|---|---|---|
| Container startup | 1,922ms | 5ms (384× faster) |
| Image size (nginx) | 187MB | 23MB (8× smaller) |
| Memory per container | ~25MB | 5.5MB (78% less) |
| Malicious images in registry | 10,000+ | 0 (by design) |
| Time to patch CVE | Days–weeks | Hours (forced by trust model) |