Scott McCarty <smccarty(a)redhat.com> writes:
Personally, I also run systemd in the container (because I hate
reverse engineering startup scripts) and I run the whole thing read-only. IMHO, thisngives
me a balance of
security and convenience.
If you don't run systemd, you could even run rootless.
systemd should work fine with rootless containers too.