• 0 Posts
  • 1 Comment
Joined 1 year ago
cake
Cake day: October 28th, 2023

help-circle
  • Since you are using LXC/LXD, make sure that AppArmor is enabled on the host and ensure that a configuration profile exists (should be a decent default one available) that blocks the containers from reading things like the /etc/passwd file.

    I personally run all containers in centos/alma/fedora systems specifically to take advantage of the strong SELinux-container policies.

    Other things you can do would be to rebuild public images, patch them, and save them to your private registry. I find that not all container maintainers patch as aggressively as I would like. Furthermore, you can look into running containers as non root and use a non root “daemon” like Podman instead of Docker.