[redtuesday]

Is it intended that the last two have nothing after the equal sign? If yes, what does that do?

There is also --pids-limit=<some number> against fork bombs.

EDIT - this git repo has more links to security related articles etc. https://github.com/wsargent/docker-cheat-sheet#security