The first step I would take is running podman instead of Docker to prevent container escapes. Podman can be run truly rootless and doesn't mess with your firewall. Next I would drop all caps if possible.

▲

doodlesdev 5 days ago | parent [-]

What's the difference between running Podman and running Docker in rootless mode? (Other than Docker messing with the firewall, which apparently OP doesn't know about… yet). I understand Podman doesn't require a daemon, but is that all there is to it, or is there something I'm missing?

	▲	exceptione 5 days ago \| parent \| next [-]
		The runtime has been designed from the ground up to be run daemonless and rootless. They also have a K8s runtime, that has an extremely small surface, just enough to be K8s compliant. But podman has also great integration with systemd. With that you could use a socket activated systemd unit, and stick the socket inside the container, instead of giving the container any network at all. And even if you want networking in the container, the podman folks developed slirp4netns, which is user space networking, and now something even better: passt/pasta.
	▲	crimsonnoodle58 5 days ago \| parent \| prev [-]
		Rootless docker is more compatible than podman I found. I experienced crash dumps in say mssql with podman, but not with rootless docker. Also rootless docker does not bypass ufw like rootful docker does.