# Security
Here follows an explanation of security practices taken into account.

Refer to https://docs.docker.com/compose/compose-file/compose-file-v3/ for explanations of individual points.

## Rootness
**The container process runs as `root`**.

Due to the deterministic, static nature of the container process, this is not an issue.

## Port Exposure
The container exposes no ports.

## Volume Access
**The container process has `docker.sock` access**.

Due to the deterministic, static nature of the container process, this is not an issue.

## Resource Limits
The service employs CPU/Memory usage limits in the `deploy` section.

This helps prevent any issues with the container process from crashing the entire host.

## Capabilities
All capabilities are dropped with `--cap_drop ALL`.

No capabilities need to be added back, so none are.

## Special Note: latest
Hosts are presumed to be kept up-to-date via the official `docker-ce` package.
Thus, uniquely, using `latest` tag in this container is warranted.