[BUG] Newer images require CAP_DAC_OVERRIDE or they get stuck

[lespea]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Starting with 4.3.3 I get the following log entry and there are 2 processes that use 100% cpu and don't ever seem to terminate. Manually killing them doesn't seem to help (thought I'd try). I am running this via podman with reduced capabilities and after trying many combinations it appears that new linuxserver containers now require CAP_DAC_OVERRIDE in order to run. Ideally I would like to continue running these without that but I understand that it's a pretty niche setup so maybe you don't want to support that.

There is probably a more appropriate repo to file this issue under since it appears to be affecting all newer linuxserver containers I use but I wasn't sure where so I just chose this one.

• Error
  • rm: cannot remove '/usr/bin/with-contenv': Permission denied
• Runaway procs
  • bin/bash /command/with-contenv bash /etc/s6-overlay/s6-rc.d/init-migrations/run
  • /bin/bash /command/with-contenv bash /etc/s6-overlay/s6-rc.d/init-envfile/run

Expected Behavior

The container starts.

Steps To Reproduce

Hangs:

sudo podman run --rm --replace --name sab --security-opt=no-new-privileges --cap-drop all --cap-add setgid --cap-add sys_nice --cap-add setuid --cap-add chown --cap-add kill 'lscr.io/linuxserver/sabnzbd:4.3.3'

Works:

sudo podman run --rm --replace --name sab --security-opt=no-new-privileges --cap-drop all --cap-add setgid --cap-add sys_nice --cap-add setuid --cap-add chown --cap-add kill --cap-add dac_override 'lscr.io/linuxserver/sabnzbd:4.3.3'

Works (old version):

sudo podman run --rm --replace --name sab --security-opt=no-new-privileges --cap-drop all --cap-add setgid --cap-add sys_nice --cap-add setuid --cap-add chown --cap-add kill 'lscr.io/linuxserver/sabnzbd:4.3.2

Environment

- OS: `Linux 6.6.65-1-lts #1 SMP PREEMPT_DYNAMIC Wed, 11 Dec 2024 15:35:54 +0000 x86_64 GNU/Linux`
- How docker service was installed: `pacman -S podman`


$ podman version
Client:       Podman Engine
Version:      5.3.1
API Version:  5.3.1
Go Version:   go1.23.3
Git Commit:   4cbdfde5d862dcdbe450c0f1d76ad75360f67a3c
Built:        Thu Nov 21 15:51:46 2024
OS/Arch:      linux/amd64

### CPU architecture

x86-64

### Docker creation

```bash
See steps to reproduce

Container logs

When failed:

`rm: cannot remove '/usr/bin/with-contenv': Permission denied`

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[thespad]

Do you get the same behaviour with lscr.io/linuxserver/lspipepr-sabnzbd:nightly-8c761ba6-pkg-bc4965db-dev-19e29f3b266fd1e192dcf1385f1989aad262b80a-pr-241 ?

It's the nightly tag so probably don't run it against your live install or you might not be able to go back to stable.

[lespea]

No that seems to work (it starts up at least)

[thespad]

OK TL;DR we made a change to fix a bug in our older base images, which seems to have surfaced this issue (it probably shouldn't have been working for months), our newer base (which that PR is using) doesn't use that code at all.

The stable image should be updated in the next couple of weeks, depending on how busy we get.

[lespea]

Awesome, appreciate the info/update! I'm just pinning all the versions for now and in a few weeks I'll check back and try the new versions. Thanks again!

[thespad]

Just look for the Alpine 3.21 or Ubuntu Noble rebase entry in the readme changelog to know if they've been done or not.