Hi, Typical fictional unicorn containers should have one process
On practice it's actually processes of one concern ex. Apache One issue is that your entry point /start.sh should exec to replace the shell (so that application process would recieve signals) Since start.sh is pid 1 it has the responsibility to handle zombies. For this we can use yelp's dumb-init (which is almost to be pushed to official repo and already in copr) https://github.com/Yelp/dumb-init Typically our start.sh start confd in background using nohup Then I exec my application but I would like to drop privileges, first I used exec sudo or exec su but it wont replace the proces. I wrote a simple application that drop groups , supplementary groups and user Not only that but also it can optionally set PR_SET_NO_NEW_PRIVS with prctl So that it will never get more privileges even with sudo/su. What do you think? https://github.com/muayyad-alsadi/oneway/blob/master/README.md
