From c8e3a152a648050c231ca7a01b65d692372641c5 Mon Sep 17 00:00:00 2001 From: librelad Date: Sat, 23 May 2026 20:16:13 +0100 Subject: [PATCH] security: default fresh installs to rootless Docker MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Containers now run unprivileged by default — a container breakout maps to a sub-UID, not host root. Rooted remains available as a legacy opt-in. Existing installs keep their current mode (config reconciliation is add-only); fresh installs get rootless. The rootless path already handles unprivileged ports (ip_unprivileged_port_start=0) and userns. Co-Authored-By: Claude Opus 4.7 Signed-off-by: librelad --- configs/general/general_docker_install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configs/general/general_docker_install b/configs/general/general_docker_install index 0c0b615..7389061 100755 --- a/configs/general/general_docker_install +++ b/configs/general/general_docker_install @@ -1,7 +1,7 @@ # ================================================================================ # Docker - Container runtime installation and configuration **ADVANCED** # ================================================================================ -CFG_DOCKER_INSTALL_TYPE=rooted # Docker Installation Type - Security based setup rooted or rootless Docker installation [rooted|rootless] +CFG_DOCKER_INSTALL_TYPE=rootless # Docker Installation Type - rootless (default, recommended): containers run unprivileged so a breakout isn't host root; rooted: legacy, containers run as root [rootless|rooted] CFG_DOCKER_INSTALL_USER=dockerinstall # Docker Install User - Username for Docker installation operations CFG_DOCKER_INSTALL_PASS=RANDOMIZEDPASSWORD2 # Docker Install Password - Password for Docker install user