1016 B
Security
Here follows an explanation of security practices taken into account.
Refer to https://docs.docker.com/compose/compose-file/compose-file-v3/ for explanations of individual points.
Rootness
The container process runs as root.
Due to the deterministic, static nature of the container process, this is not an issue.
Port Exposure
The container exposes no ports.
Volume Access
The container process has docker.sock access.
Due to the deterministic, static nature of the container process, this is not an issue.
Resource Limits
The service employs CPU/Memory usage limits in the deploy section.
This helps prevent any issues with the container process from crashing the entire host.
Capabilities
All capabilities are dropped with --cap_drop ALL.
No capabilities need to be added back, so none are.
Special Note: latest
Hosts are presumed to be kept up-to-date via the official docker-ce package.
Thus, uniquely, using latest tag in this container is warranted.