security: default fresh installs to rootless Docker

Containers now run unprivileged by default — a container breakout maps to a
sub-UID, not host root. Rooted remains available as a legacy opt-in. Existing
installs keep their current mode (config reconciliation is add-only); fresh
installs get rootless. The rootless path already handles unprivileged ports
(ip_unprivileged_port_start=0) and userns.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
This commit is contained in:
librelad 2026-05-23 20:16:13 +01:00
parent 7e7a7f524c
commit c8e3a152a6

View File

@ -1,7 +1,7 @@
# ================================================================================ # ================================================================================
# Docker - Container runtime installation and configuration **ADVANCED** # Docker - Container runtime installation and configuration **ADVANCED**
# ================================================================================ # ================================================================================
CFG_DOCKER_INSTALL_TYPE=rooted # Docker Installation Type - Security based setup rooted or rootless Docker installation [rooted|rootless] CFG_DOCKER_INSTALL_TYPE=rootless # Docker Installation Type - rootless (default, recommended): containers run unprivileged so a breakout isn't host root; rooted: legacy, containers run as root [rootless|rooted]
CFG_DOCKER_INSTALL_USER=dockerinstall # Docker Install User - Username for Docker installation operations CFG_DOCKER_INSTALL_USER=dockerinstall # Docker Install User - Username for Docker installation operations
CFG_DOCKER_INSTALL_PASS=RANDOMIZEDPASSWORD2 # Docker Install Password - Password for Docker install user CFG_DOCKER_INSTALL_PASS=RANDOMIZEDPASSWORD2 # Docker Install Password - Password for Docker install user