An edge device may be configured to generate a secure container to perform a software application on the edge device. A security daemon operating on a processor of the edge device may receive a configure host request message from a container manager. In response, the security daemon may determine integrity of metadata, extract licenses from the metadata, determine image permissions, create a user or group account, and update one or more system service access-control lists (ACLs). The security daemon may generate and send a configure host response message to the container manager, which may create and/or start the container.