You can do quite a lot with Docker, but sometimes you want greater capabilities or increased security, then a proper virtual machine with KVM is a good alternative. An example is when you want to run Docker containers in the VM, it’s not easy to nest Docker without forgoing all security. Just like Alpine Linux is suitable as a base for Docker images, it is also a good option as a guest in a virtual machine.

I have been using the distroless Docker base images to package my applications, mainly since I want slim and simple image without unnecessary cruft. However, they are based on Debian, and Debian is unfortunately not so diligent to fix serious security issues as other distributions like Ubuntu or Alpine. If you scan a distroless image with the grype tool, you get this result: $ grype gcr.io/distroless/java17-debian11 NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY libharfbuzz0b 2.

These instructions are tested with Ubuntu desktop 12.04, but will probably be useful in other Linux distros with GRUB2 as well. The goal is to block everything except booting the default system. In paricular, it should not be possible for anyone to boot into recovery mode, since that will bypass normal login and give root access directly. Run grub-mkpasswd-pbkdf2 from a terminal and enter the desired password, copy the output. Edit /etc/grub.

(This article has been edited since it’s first publication.) In Linux, and other UNIX-like systems, you have to be root (have superuser privileges) in order to listen to TCP or UDP ports below 1024 (the well-known ports). This port 1024 limit is a security measure. But it is based on an obsolete security model and today it only gives a false sense of security and contributes to security holes. The port 1024 limit forces you to run all network daemons with