A completing/complementing technology to this is Cloud Foundry (https://www.cloudfoundry.org).
Cloud Foundry can use Docker images, but it does not need to.
From what I understand Cloud Foundry packages provide even less of an attack surface then Docker images.
Just a thought or two.
“The strongest of all warriors are these two — Time and Patience.” ― Leo Tolstoy, War and Peace