the problem here is that if you encounter a bug in the code the OS process allows it to replace itself along with the rest of the container. The security level of root also allows for additional device files and network configuration that are normally not possible.
I would advice go for the following strategy:
the entrypoint initializes the container and ensures that all the necessary permissions are set
sudo hands over the process to a lesser privileged user
from the permissions point of view this would mean
adding a mxisd user
chown -R mxisd. /var/mxisd
apk add sudo
change start sh to exec sudo -u mxisd java -jar /app/mxisd.jar -c /etc/mxisd/mxisd.yaml
When firing up the docker container for mxisd and doing a first inspection I realized that it is running as root:
the problem here is that if you encounter a bug in the code the OS process allows it to replace itself along with the rest of the container. The security level of root also allows for additional device files and network configuration that are normally not possible.
I would advice go for the following strategy:
from the permissions point of view this would mean