Hello Hannes!
Thanks for the hint ! I'll check immedeatly.
-  for the stop:
I've seen this in some cases but could imagine it related to large global buffers.
default timeout for docker stop iris is 10 sec  but  docker stop -t 60  iris will give it a minute
the total save approach could be 
docker exec iris iris stop iris quietly      so iris is down
docker stop iris                                          now stop the container

@Alexey Maslov 
Following your suggestion, I investigated public key bases authentication.
And it's of course available (no surprise it's standard Linux)

$ cd /etc/ssh
$ ls -l
total 580
-rw-r--r-- 1 root root 553122 Mar  4  2019 moduli
-rw-r--r-- 1 root root   1580 Mar  4  2019 ssh_config
-rw------- 1 root root    227 Apr 20 20:32 ssh_host_ecdsa_key
-rw-r--r-- 1 root root    179 Apr 20 20:32 ssh_host_ecdsa_key.pub
-rw------- 1 root root    411 Apr 20 20:32 ssh_host_ed25519_key
-rw-r--r-- 1 root root     99 Apr 20 20:32 ssh_host_ed25519_key.pub
-rw------- 1 root root   1679 Apr 20 20:32 ssh_host_rsa_key
-rw-r--r-- 1 root root    399 Apr 20 20:32 ssh_host_rsa_key.pub

Thank you @Luca Ravazzolo It's a great story!
And the CHUI interface is a dead horse. No doubt!
But the need is not an invention but a demand from existing customers that fear
to lose control over their data and operation. Especially if there is nothing
anymore in the basement you can touch.
So I show that is possible. I don't judge if it makes sense. 
Like in real life:
- Some people climb Aiguille de Midi with ropes and hooks
even as there is a cable car to the top installed.
- Others drive SUV and HUMMERs but mostly run the highway
and almost never leave the well-pathed roads. 

It's just required to produce the demo video to demonstrate  full functionality with this setup

I'll definitely try it.

@Alexey Maslov !
You are totally right.
It is not the final solution but the start of a different scenario.
PW was just the most simple approach to begin with.
I was much more puzzled by the fact that sshd only starts from root
and that it does a very detailed check of the access rights on the internal generated keys.
An just found no way to start a service from within IRIS.
Now in the soft version, it is started with docker exec  ... as by README.md and OEX.
and the pw can be provided in a similar way 
 

Thank you for the feedback from this well know environment.!

Simple things as buffer allocation, adding DB, ECP + Activation, ...
all this is lost after a new start     OR
I have to use DURABILITY which is quite an overhead e.g. during development 

Your suggestion is valid:
IF - there is access with sufficient privileges to the server that hosts Docker.
This is most likely an OS Level system manager or operator that runs all containers.
BUT - To run / check  / restart ..  IRIS there is no need to have rights outside Docker container
but instead, you need direct access to OS inside the container. Without external rights.
The next level is SYSmgr access inside IRIS vs. Developer or User access.
Back to the original scenario:
Running Docker is to me from a security point of view the same as running  Linux/ Windows on an ESX.
Would you sugggest giving someone access to ESX  with enough privileges just to do
Windows System management?  I don't think so!
In any midsize to larger organization, there is a strict separation between
HW server, Network, Virtualization, OS, Application - Management & Operation
mainly to prevent mistakes and error fixing at the wrong end.

Of course for me at home with a notebook and 2 desktops, I'm godfather with all rights you can think of.
Docker is claimed to replace VMware.
This is only correct if after installation you have the same privileges. 
If I build my image, I have all access rights.
But with no access to root or similar, I feel cheated.
Sorry, it's like a car without a steering wheel.

Dear @Dmitry Maslennikov !
Thanks for the compliment "bad idea"  !
All my life was driven by cross thinking, away from old tracks, doing the undoable, unchain my mind.
And it was 99% success. 
My ISC colleagues in and outside US can confirm this.
@Evgeny Shvarov knows much more details about me that would break the frame here.

BUT I'm a little bit disappointed. You didn't read the disclaiming note on top:
It is for developers, supporters,  system managers. 
And in addition my examples are never meant for production use,
but for training and learning. I don't make money with my software.
Just 1  minor detail:
Though multiple requests I never got a root password for any IRIS container.
You might have access to this information as you have also access to other no-public info.
So I had to set one for myself.  x-thinking!
All about the reasoning and other details are in my reply to @Evgeny Shvarov
Since he placed the more important question: WHY?

OK. that means to me:
- bring your own iris.cpf  (and your own license )
as I have done already in past in several cases.
And it means to have one repository for demo and another for distribution. 

That's fine in principle.
But how does this work with the demo server? Which triggered the idea.
https://MyProject.contest.community.intersystems.com/......