While it would be slightly more secure to run with --cgroupns=private, which in general works, it seems to require more setup in some cases and may not work well on some configurations (didn't check the latter, so mostly speculation from my side).
So --cgroupns=host is probably not much worse than what we had before with Cgroups v1.
However, I propose to additionally add --cap-add SYS_ADMIN --security-opt apparmor=unconfined, which get rid of some warnings during init and some undesired behaviors during stop. Probably doesn't make the security much worse anyway.
While it would be slightly more secure to run with
--cgroupns=private
, which in general works, it seems to require more setup in some cases and may not work well on some configurations (didn't check the latter, so mostly speculation from my side). So--cgroupns=host
is probably not much worse than what we had before with Cgroups v1.However, I propose to additionally add
--cap-add SYS_ADMIN --security-opt apparmor=unconfined
, which get rid of some warnings during init and some undesired behaviors during stop. Probably doesn't make the security much worse anyway.For future reference: