Containers, The Wrong Way: Lessons Learnt

This is a follow-up of "Containers, The Wrong Way, For Always-Free Fun and Profit" In my last post, I told you all a wild idea: stop caring about the host OS of your EC2/VM. Take the OS hostage. Make it a babysitter of privileged container, and from that point on it's as relevant as a bastion VM. Your environment lives in an Docker/Podman image. Versioned, reproducible, and testable on your laptop/QEMU/VMWare. A week later, 119 files changed, +612 -4210 lines changed (this is what an Ansible retirement looks like) and I have one thing to say: The core idea was right. I just hadn't "thought with containers" all the way through. Prelude: The host OS matters. A tiny bit. Here's the thing about the "host OS doesn't matter" premise: it only holds if the host OS agrees to not matter . Your privileged container needs to start and be able to take the host OS hostage. That's the whole deal. The host gets you to that point, and then it gets out of the way. Oracle Linux ships with SELinux enforci