Container images by composition

The invention is claimed as follows: 1. A system of creating containers by composition, the system comprising: a memory including a container image; one or more processors, in communication with the memory; and an image engine, executing on the one or more processors, wherein the containers include components to generate an isolated runtime environment for specific applications, wherein the container image includes a plurality of layers, the plurality of layers including at least a first layer and a second layer that is built on the first layer, the image engine determines that the first layer and the second layer are at least one of read only and remain unmodified by the addition of any other layer of the plurality of layers, and each layer of the container image is in one of a broken state and an unbroken state, wherein the image engine validates that each layer of the container image is associated with a respective identifying signature, the identifying signatures remain unmodified as long as the respective layers remain in the unbroken state, and any respective layer changing from the unbroken state to the broken state if any contents of the respective layer present at a time such respective layer was added to the container image are modified by at least one of an addition and an operation of any other layer of the container image, wherein the image engine ensures that the plurality of layers adhere to a policy, the policy requiring that each compliant layer includes at least one attribute of (i) each respective compliant layer is read only with respect to each other layer in the container image, and (ii) at a time when each respective compliant layer is added to the container image, the respective layer does not modify the contents of any other layer, the policy also requiring that the updating of any respective compliant layer with a new version of the same respective compliant layer modifies only the contents of the respective compliant layer being replaced, and that each compliant layer remains in the unbroken state, wherein each layer is designated a different respective location in the memory for the storage of data necessary for each respective layer, and each compliant layer is restricted from writing to a location designated for any other layer, and wherein the image engine determines that the first layer and the second layer are both compliant layers and replaces the first layer with a third layer, wherein the third layer is an updated version of the first layer, and the second layer and the third layer are both compliant layers after the replacement of the first layer with the third layer, such that the plurality of layers, including the third layer, adhere to the policy. 2. The system of claim 1 , wherein the image engine adds a fourth layer to the container image. 3. The system of claim 2 , wherein the image engine determines that at least one of the third layer and the fourth layer is a non-compliant layer, stops constructing the container image and sends a warning that constructing the container image failed. 4. The system of claim 2 , wherein the image engine: adds a fifth layer to the container image, wherein the fifth layer is a non-compliant layer and adding the fifth layer causes the fourth layer to become non-compliant, the fifth layer being in the unbroken state. 5. The system of claim 4 , wherein the image engine: replaces the second layer with a sixth layer, wherein the sixth layer is an updated version of the second layer, the third layer remains compliant, and the fifth layer remains in the unbroken state after the replacement of the second layer with the sixth layer, the sixth layer being compliant. 6. The system of claim 4 , wherein the image engine: copies any portions of the fourth layer that will be modified by the addition of the fifth layer, and provides at least one of a user and the image engine with the option to one of (i) allow the modifications to occur and (ii) reject the modifications. 7. The system of claim 1 , wherein each identifying signature is one of a checksum and a hash. 8. A method of creating containers by composition, the method comprising: determining that a first layer and a second layer that is built on the first layer are at least one of read only and unmodified by the addition of any other layer of a plurality of layers, wherein a container image includes the plurality of layers, the plurality of layers includes at least the first layer and the second layer, and each layer of the container image is in one of a broken state and an unbroken state, and wherein the containers include components to generate an isolated runtime environment for specific applications; validating that each layer of the container image is associated with a respective identifying signature, wherein the identifying signatures remain unmodified as long as the respective layers remain in the unbroken state, and any respective layer changing from the unbroken state to the broken state if any contents of the respective layer present at a time such respective layer was added to the container image are modified by at least one of an addition and an operation of any other layer of the container image; ensuring that the plurality of layers adheres to a policy, the policy requiring that each compliant layer includes at least one attribute of (i) each respective compliant layer is read only with respect to each other layer in the container image, and (ii) at a time when each respective compliant layer is added to the container image, the respective layer does not modify the contents of any other layer, the policy also requiring that the updating of any respective compliant layer with a new version of the same respective compliant layer modifies only the contents of the respective compliant layer being replaced, and that each compliant layer remains in the unbroken state, wherein each layer is designated a different respective location in a memory for the storage of data necessary for each respective layer, and each compliant layer is restricted from writing to a location designated for any other layer; determining that the first layer and the second layer are both compliant layers; and replacing the first layer with a third layer, wherein the third layer is an updated version of the first layer, and the second layer and the third layer are both compliant layers after the replacement of the first layer with the third layer, such that the plurality of layers, including the third layer, adhere to the policy. 9. The method of claim 8 , further comprising: adding a fourth layer to the container image. 10. The method of claim 9 , further comprising: determining that at least one of the third layer and the fourth layer is a non-compliant layer; and stopping construction of the container image and sends a warning that constructing the container image failed. 11. The method of claim 9 , further comprising: adding a fifth layer to the container image, wherein the fifth layer is a non-compliant layer and adding the fifth layer causes the fourth layer to become non-compliant, the fifth layer being in the unbroken state. 12. The method of claim 11 , further comprising: replacing the second layer with a sixth layer, wherein the sixth layer is an updated version of the second layer, the third layer remaining compliant, and the fifth layer remaining in the unbroken state after the replacement of the second layer with the sixth layer, the sixth layer being compliant. 13. The method of claim 11 , further comprising: copying any portions of the fourth layer that will be modified by the addition of the fifth layer, and providing at lea