I'm worried about the security implications of running the daemon as root. What are the current best practices for 'rootless' mode or limiting container capabilities? I want to ensure that a compromised container cannot easily gain control over the host system.
3 answers
Security should be a priority from day one. To harden your setup, you should look into running in "Rootless Mode," which allows the daemon and containers to run as a non-privileged user. This significantly mitigates the risk of "container breakout" attacks. If rootless isn't an option for your workload, at least use the --cap-drop ALL flag and only add back the specific Linux capabilities your app needs, like NET_BIND_SERVICE. Also, never expose the /var/run/docker.sock to a container unless absolutely necessary, as this is essentially giving that container root access to your host. I've been auditing production environments for these specific misconfigurations since late 2025.
Are you also using a security profile like AppArmor or Seccomp to further restrict the system calls your containers can make?
Using the USER directive in your Dockerfile to switch to a non-root user is the easiest first step you can take to improve your security posture.
Absolutely, Rebecca. It’s a simple change that stops a lot of common exploits. Every project I work on now defaults to a non-root user.
I’m looking into Seccomp right now, Paul. It seems a bit complex to write custom profiles for every application, but the default profile seems like a good starting point. Do you find that custom profiles often break applications, or is the learning curve manageable for a standard microservices setup?