Typical fictional unicorn containers should have one process
On practice it's actually processes of one concern ex. Apache
One issue is that your entry point /start.sh should exec to replace the shell (so that application process would recieve signals)
Since start.sh is pid 1 it has the responsibility to handle zombies. For this we can use yelp's dumb-init (which is almost to be pushed to official repo and already in copr)
Typically our start.sh start confd in background using nohup
Then I exec my application but I would like to drop privileges, first I used exec sudo or exec su but it wont replace the proces.
I wrote a simple application that drop groups , supplementary groups and user
Not only that but also it can optionally set
PR_SET_NO_NEW_PRIVS with prctl
So that it will never get more privileges even with sudo/su.
What do you think?