Paranoid~RVHardened 28 Docker containers in one day. cap_drop ALL across 22 services, selective cap_add based on actual startup behavior, mem_limit and pids_limit on everything, digest-pinned images.
The pattern: containers that start as root and drop to a service user need CHOWN/SETUID/SETGID added back. Containers that start as their own user work with bare cap_drop ALL. Chroot containers need SYS_CHROOT. File-reading containers need DAC_READ_SEARCH.
Methodology: audit first, harden second. Full recon before touching a single compose file. Caught a UFW exposure and a tunnel misconfiguration that had been misdiagnosed for days.
Writeup at mpdc.dev with the full cap_add reference pattern.
#docker #selfhosted #infosec #homelab #containers #ParanoidRV
The pattern: containers that start as root and drop to a service user need CHOWN/SETUID/SETGID added back. Containers that start as their own user work with bare cap_drop ALL. Chroot containers need SYS_CHROOT. File-reading containers need DAC_READ_SEARCH.
Methodology: audit first, harden second. Full recon before touching a single compose file. Caught a UFW exposure and a tunnel misconfiguration that had been misdiagnosed for days.
Writeup at mpdc.dev with the full cap_add reference pattern.
#docker #selfhosted #infosec #homelab #containers #ParanoidRV