How to Restrict All Capabilities to Containers

If you run is root in a docor container, somebody takes over your container. The worst thing they can do is lie crash around inside of the containers. There te things you can do, restrict all capabilities to containers. That will restrict the attack surface on the linic c kernel. And for many applications it won't really matter too much, but it's not a lot of work.