From 762f11f88d91a32213776c4c414e20c4a02cf982 Mon Sep 17 00:00:00 2001
From: Wonderfall <wonderfall@protonmail.com>
Date: Sun, 3 Apr 2022 02:33:14 +0200
Subject: [PATCH] avoid --cgroup-parent

---
 content/posts/docker-hardening.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/content/posts/docker-hardening.md b/content/posts/docker-hardening.md
index 83d3989..d838083 100644
--- a/content/posts/docker-hardening.md
+++ b/content/posts/docker-hardening.md
@@ -156,6 +156,8 @@ Use cgroups to restrict access to hardware and system resources. You likely don'
 
 More runtime options can be found in [the official documentation](https://docs.docker.com/config/containers/resource_constraints/). All of them should have a [Compose spec](https://github.com/compose-spec/compose-spec/blob/master/spec.md) equivalent.
 
+The `--cgroup-parent` option should be avoided as it uses the host cgroup and not the one configured from Docker (or else), which is the default.
+
 ### Read-only filesystem
 It is good practice to treat the image as some refer to as the "golden image".