Is there a best security practices for containers?

I know that running the containers are generally safe by default (correct me if I’m wrong) but do I … have to disable SSH or put up a firewall between them in general?

In general they should be treated as you would any Linux system, whether it’s a physical server or virtual machine.

If the container doesn’t expose any service, there’s not usually a strong need for a firewall, but indeed in general, you want to disable any service you don’t actually use and if running services that can listen on a number of unknown ports, then firewalling is a good idea.

If I disable SSH because I’m sure I won’t use it can I disable it without crippling commands like 'lxc shell " or is the way for lxc command to “get into” the shell just completely different that I don’t have to worry about it.

Going a bit further into firewalls I’m referring to firewalls inside containers if that even makes sense at that point… if all I have to do is firewall it at the host level so that X private IP is allowed to contact Y private IP. Each private IP representing containers in this case.

I guess I’m just trying to conceptualize and imagine how it would work.

That’s right, the lxc exec and similar commands do not need anything in the container to function.

It always depends on the services you’re running, if you’re running untrusted code in those containers, then maybe firewalling them from each other is a good idea, in most other cases, it’s somewhat rare to do that.