I’m not seeing much on security IN containers. Stuff like whether you should use the container’s root user or another user you create, password protection on root/other users in a container, and things like that. Looking at the “security.md” file on GitHub and seeing this:
For production setup, it’s recommended that core.trust_password is unset after all clients have been added. This prevents brute-force attacks trying to guess the password.
Are there any resources or insights on this?
There’s no specific documentation for this because it’s really no different than any other Linux system. Maybe with the one exception that root can do slightly less damage than normal.
So all the usual recommendations about limiting the number of open ports, setting up firewall, restricting remote shell, … that you would normally have for a Linux VM or physical machine equally apply to containers.
The section of security.md that you found about the password authentication is to prevent password brute forcing of the LXD API itself. If you unset the core.trust_password property after all your client certificates have been added to LXD, then nobody can brute force it.