Base container not handle very well drop all caps and run as non-root

[psychomantys]

Summary

The base image of the container make some tests and run code to "fix" something how is not a problem.

The code is on file /package/admin/s6-overlay-3.0.0.2/libexec/preinit inside the container.

Steps to reproduce

Se the logs from:

version: '3.9'

services:
  dns-cloudflare:
    image: tiredofit/traefik-cloudflare-companion
    cap_drop:
      - ALL
    user: "1000:1000"
    environment:
      - "TRAEFIK_VERSION=2"
      - "SWARM_MODE=TRUE"
      - "DOCKER_HOST=tcp://export-docker-sock:2375"
      - "CF_TOKEN=${CF_TOKEN}"

      - "TARGET_DOMAIN=${CF_LOADBALANCER}"
      - "DOMAIN1=${CF_DOMAIN}"
      - "DOMAIN1_ZONE_ID=${CF_ZONE_ID}"
    deploy:
      replicas: 1
    networks:
      - traefik-net
      - docker-net

networks:
  traefik-net:
    external:
      name: traefik-net
  docker-net:
    external:
      name: docker-ro-net

What is the expected correct behavior?

Container not need to set uid or gid. The container can run as any user and drop all caps.

Relevant logs and/or screenshots

This is the log:

s6-overlay-suexec: fatal: unable to setgid to root: Operation not permitted

With cap add setuid and setgid:

s6-chown: fatal: unable to chown /run: Operation not permitted
s6-overlay-suexec: fatal: child failed wth exit code 111

Environment

• Image version / tag: latest
• Host OS: Linux

Any logs | docker-compose.yml

s6-overlay-suexec: fatal: unable to setgid to root: Operation not permitted
s6-chown: fatal: unable to chown /run: Operation not permitted
s6-overlay-suexec: fatal: child failed wth exit code 111

Possible fixes

Well, there is somethings:

• List caps used by container(not need this)
• Change entrypoint to run /usr/sbin/cloudflare-companion direct
• Change the entrypoint to not create files and/or set group/user(or disable by env)