Michael Irwin from Docker here (and author of the blog post too). Happy to answer your questions, hear feedback, and more!

maybe a naive question: is there a way to run some form of docker in the browser? It could be a great education / demo tool

Great question! There isn't a way to run Docker directly in the browser. But, there are tools (like Play with Docker at play-with-docker.com) that lets you interact with a CLI in the browser to run commands against a remote cloud instance. I personally use this a lot for demos and workshops!

But... certainly a neat idea to think about what Wasm-based applications could possibly look like/run in the browser!

Is it possible to sandbox the host system from the guests in WASM?

Are there namespaces and cgroups and SECCOMP and blocking for concurrent hardware access in WASM, or would those kernel protections be effective within a WASM runtime? Do WASM runtimes have subprocess isolation?

> gVisor is an application kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an Open Container Initiative (OCI) runtime called runsc that provides an isolation boundary between the application and the host kernel.