Half my detect.sh [VULN] hits were already patched. The other half led to Lynis 64/100 and Docker Bench 11/105 — the real holes weren't in CVE databases at all.

A single apt dist-upgrade across 11 unprivileged LXCs killed every docker container. The cause wasn't docker — it was runc 1.3's OCI spec change colliding with PVE 8.4's read-only /proc/sys.

Diagnosing and patching a Proxmox host plus seven LXC containers against the AF_ALG-based local privilege escalation, including mitigation, repo cleanup, kernel upgrade, and the surprises that fell out along the way.

CVE-2026-41651 hit three of my six LXC containers. What broke during removal — autoremove cascading into unattended-upgrades — and what I changed afterwards.

Build a hardened Ubuntu template in Proxmox once, clone it forever. The same security policy lives in the template's DNA and every child inherits it automatically.

First post. What this blog is and what I'll write about.

What orphanRemoval=true actually does, how it differs from CascadeType.REMOVE, and the three traps you'll hit using them together.