[BUG] Docker Compose fails with "operation not permitted", likely due to restrictive security options

[FelixSchmidmeir]

Describe the bug
When freshly cloning the betterbahn repo and starting the service with Docker Compose, the container fails with the following error:

betterbahn-1 | exec /usr/local/bin/docker-entrypoint.sh: operation not permitted

To Reproduce

1. clone the repository
   git clone git@github.com:BetterBahn/betterbahn.git

2. enter the directory
   cd betterbahn

3. run the app with Docker Compose
   docker compose -f docker-compose/docker-compose.yaml --project-directory=./ up -d

Expected behavior
The container should start without problems and the application should be served at localhost:3000

Cause (suspected)
The restrictions in docker-compose/docker-compose.yaml seem to be too restrictive. If I for example remove the following section the container starts just fine.

security_opt:
    - no-new-privileges=true 

Environment:

Docker version: 28.4.0
Docker Compose version: v2.39.1
OS: Ubuntu 24.04.3 LTS

[FunctionDJ]

Please confirm if issue persists with latest image https://github.com/BetterBahn/betterbahn/pkgs/container/betterbahn/604843378?tag=latest

[FelixSchmidmeir]

@FunctionDJ The issue persists with the current code on the main branch.

I cannot reproduce it with the URL you provided, as the URL returns a 404.
If I try to pull the Docker image using my personal access token, I receive an "access denied" error.
Is it possible that the image is private?

docker pull ghcr.io/betterbahn/betterbahn:latest
Error response from daemon: denied

[FunctionDJ]

@FelixSchmidmeir You're correct, it's private. Thanks for letting me know.

The images are now uploaded as betterbahn/betterbahn because the repo got renamed/move from l2xu/betterbahn. I'll sort this out with @l2xu and betterbahn/betterbahn will surely be the new canonical image, we just have to publish them. Join the Discord (README.md) or keep an eye out on docker-compose.yaml for any changes in case I forget to comment here.

[FunctionDJ]

@FelixSchmidmeir ghcr.io/betterbahn/betterbahn:latest is now public.

[FelixSchmidmeir]

Thank you!

It works fine if I just run the docker image:
docker run -p 3000:3000 ghcr.io/betterbahn/betterbahn:latest

The same issue remains if I use the Docker Compose file of the current main branch with the updated image:

image: ghcr.io/betterbahn/betterbahn:latest

docker compose -f docker-compose/docker-compose.yaml --project-directory=./ up -d

Attaching to betterbahn-1
betterbahn-1 | exec /usr/local/bin/docker-entrypoint.sh: operation not permitted

As mentioned in my first comment, I guess that the security restrictions in the the Docker Compose file are too restrictive. If I remove the following section, it works fine:

security_opt:
- no-new-privileges=true

[FunctionDJ]

Thank you for the feedback. We'll have to investigate this further.