Open psychomantys opened 2 years ago
The base image of the container make some tests and run code to "fix" something how is not a problem.
The code is on file /package/admin/s6-overlay-3.0.0.2/libexec/preinit inside the container.
/package/admin/s6-overlay-3.0.0.2/libexec/preinit
Se the logs from:
version: '3.9' services: dns-cloudflare: image: tiredofit/traefik-cloudflare-companion cap_drop: - ALL user: "1000:1000" environment: - "TRAEFIK_VERSION=2" - "SWARM_MODE=TRUE" - "DOCKER_HOST=tcp://export-docker-sock:2375" - "CF_TOKEN=${CF_TOKEN}" - "TARGET_DOMAIN=${CF_LOADBALANCER}" - "DOMAIN1=${CF_DOMAIN}" - "DOMAIN1_ZONE_ID=${CF_ZONE_ID}" deploy: replicas: 1 networks: - traefik-net - docker-net networks: traefik-net: external: name: traefik-net docker-net: external: name: docker-ro-net
Container not need to set uid or gid. The container can run as any user and drop all caps.
This is the log:
s6-overlay-suexec: fatal: unable to setgid to root: Operation not permitted
With cap add setuid and setgid:
setuid
setgid
s6-chown: fatal: unable to chown /run: Operation not permitted s6-overlay-suexec: fatal: child failed wth exit code 111
s6-overlay-suexec: fatal: unable to setgid to root: Operation not permitted s6-chown: fatal: unable to chown /run: Operation not permitted s6-overlay-suexec: fatal: child failed wth exit code 111
Well, there is somethings:
/usr/sbin/cloudflare-companion
Summary
The base image of the container make some tests and run code to "fix" something how is not a problem.
The code is on file
/package/admin/s6-overlay-3.0.0.2/libexec/preinit
inside the container.Steps to reproduce
Se the logs from:
What is the expected correct behavior?
Container not need to set uid or gid. The container can run as any user and drop all caps.
Relevant logs and/or screenshots
This is the log:
With cap add
setuid
andsetgid
:Environment
Any logs | docker-compose.yml
Possible fixes
Well, there is somethings:
/usr/sbin/cloudflare-companion
direct