[hippiefahrzeug]

There really isn't such a restriction.

I sometimes need containers with several services, and that's perfectly fine if it makes the setup simpler. Services can be dynamically enabled/disabled for instance with daemontools. As a matter of fact, docker brought new life to djb's daemontools for me. This makes it possible to conditionally add even an sshd to my containers (just by mixing in a directory with the run configuration), so I can go into them and check what's going wrong.

And when things need to be hardened up, just drop the corresponding service directory.

[julg]

I prefer exec to installing an sshd inside the container.

  docker exec -it "id of running container" bash

[hippiefahrzeug]

great tip, thanks!

[JdeBP]

If you could improve your daemontools life inside a Docker container (presumably you are running svscan as the primary container process) what would that improvement be?