Docker uses LXC. LXC is actually at the core of many container engines.

Yeah I saw that plugin a few years ago and it was not ready for production yet.

I am going a whole different route, but have the same motivation: get rid of docker and improve the security.

I will move from docker compose to Nomad. And I will also not use containers itself anymore. I want/need more security. You can achieve this with MicroVM (Firecracker). However, you would need to build those VM images yourself. But there is a solution to it. Kata-containers. They allow to deploy OCI compliant containers into seperate MicroVM’s. Then you have true isolation from the host kernel, while not losing much of start-up time.

It sucks to migrate to podman if you have been using Docker Compose heavily.

Also, updating is done with

docker compose pull

and

docker compose up -d

every 24h via cronjob

Yeah, I see your point. No use to repeat the same you can read in other comments or in those 274772 guides online. I was trying to imply to just generally harden ssh because then brute-force attempts should be no issue, unless you log everything and the disk space gets maxed out :D

Fml… yes, I meant CrowdSec. Thanks for the hint

• harden sshd
• use fail2ban or even better CrowdStrike CrowdSec
• use a tool like the following to have a next-gen security solution: https://github.com/mrash/fwknop