Distributions: why docker?

[Valicia]

hi,

thank you for this great software !
The official distribution has now switched to a docker environment.
Can you please explain in details (or point to an existing resource regarding this) why that is ?
As a non security expert, I have been fed with the following biases:

• docker is somewhat easy to set up for developers but not as easy to configure for a production environment.
• You don't have as much control over the supply chain (what OS does it pull, is it up to date, etc), especially during upgrades (you might check its dependencies the first time you install it, but you won't check it every time there's a security fix in the docker image, whereas if your system if properly configured, it's easier to just update the war file without risking to compromise the whole system ; and the image underlying OS security updates might take longer than you would to apply a system security patch)
• Unless properly configured, which is hard and not by default, it is somewhat easy to escape the containerized environment. Owasp has a cheat sheet about that here.

Do you have any recommendations (or existing resources to point to) to deploy the software in a production environment in a secure fashion, or is using the recommended docker-compose file enough to provide at least as much security as if it were deployed on a secure server with a war ? Is using the recommended docker-compose file enough to follow all the owasp docker recommendations ? What about things such as https ?

Thanks !