Comment 3 for bug 1858248

I'm working actively and administratively with systemd for years, have read plenty of documentation, but that's the first time I hear and read about „systemd drop-in”.

However, overriding the complate ExecStart line is unsecure and error prone since it breaks updates and changes to ExecStart updates that might come with updated packages.

In general: it is highly dangerous and sort of unbearable, to offer a docker that rigorously breaks any firewall rules. As far as I can see docker inserts iptables rules aggressively into the beginning of rules and always allows just everything to everyone.

That's a no go on productive systems.

Is this behaviour part of docker.io itself, or does this come with the debian/ubuntu package?