Base container not handle very well drop all caps and run as non-root
psychomantys opened this issue · 0 comments
psychomantys commented
Summary
The base image of the container make some tests and run code to "fix" something how is not a problem.
The code is on file /package/admin/s6-overlay-3.0.0.2/libexec/preinit inside the container.
Steps to reproduce
Se the logs from:
version: '3.9'
services:
dns-cloudflare:
image: tiredofit/traefik-cloudflare-companion
cap_drop:
- ALL
user: "1000:1000"
environment:
- "TRAEFIK_VERSION=2"
- "SWARM_MODE=TRUE"
- "DOCKER_HOST=tcp://export-docker-sock:2375"
- "CF_TOKEN=${CF_TOKEN}"
- "TARGET_DOMAIN=${CF_LOADBALANCER}"
- "DOMAIN1=${CF_DOMAIN}"
- "DOMAIN1_ZONE_ID=${CF_ZONE_ID}"
deploy:
replicas: 1
networks:
- traefik-net
- docker-net
networks:
traefik-net:
external:
name: traefik-net
docker-net:
external:
name: docker-ro-net
What is the expected correct behavior?
Container not need to set uid or gid. The container can run as any user and drop all caps.
Relevant logs and/or screenshots
This is the log:
s6-overlay-suexec: fatal: unable to setgid to root: Operation not permitted
With cap add setuid and setgid:
s6-chown: fatal: unable to chown /run: Operation not permitted
s6-overlay-suexec: fatal: child failed wth exit code 111
Environment
- Image version / tag: latest
- Host OS: Linux
Any logs | docker-compose.yml
s6-overlay-suexec: fatal: unable to setgid to root: Operation not permitted
s6-chown: fatal: unable to chown /run: Operation not permitted
s6-overlay-suexec: fatal: child failed wth exit code 111
Possible fixes
Well, there is somethings:
- List caps used by container(not need this)
- Change entrypoint to run
/usr/sbin/cloudflare-companiondirect - Change the entrypoint to not create files and/or set group/user(or disable by env)