librelad c8e3a152a6 security: default fresh installs to rootless Docker
Containers now run unprivileged by default — a container breakout maps to a
sub-UID, not host root. Rooted remains available as a legacy opt-in. Existing
installs keep their current mode (config reconciliation is add-only); fresh
installs get rootless. The rootless path already handles unprivileged ports
(ip_unprivileged_port_start=0) and userns.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 20:16:13 +01:00
..