CIS hardened host with Docker swarm /usr/local/bin/traefik is not readable and not executable

We want to run Traefik Proxy on a docker host that is CIS hardened (CIS Red Hat Enterprise Linux Benchmarks). When I try to run traefik on this host, I get the following error:

= 'traefik' is not a Traefik command: assuming shell execution.
/ exec: line 18: traefik: Not supported

The first line comes from the and is not the issue. The second line is the actual error. I started the traefik container with docker run -it traefik:v2.10 /bin/sh to investigate further. I'm able to edit the file / using vi. But I'm not able to read /usr/local/bin/traefik. When I run sha256sum /usr/local/bin/traefik or even cat /usr/local/bin/traefik I get:

cat: can't open '/usr/local/bin/traefik': Not supported

ls -l /usr/local/bin/traefik shows me that the file is readable to every user in the container and it shows that the file has a certain size. I can run cat /bin/busybox without any issues.

On another server that is not running Red Hat and is not using CIS hardening, I do not encounter these issues. We are running traefik here in docker swarm (so we are not using podman on Red Hat, but Docker).

Did anyone encountered comparable issues? Does any one has an idea what prevents me from opening /usr/local/bin/traefik?

Great to find fellow Docker Swarm users :slight_smile:

I quickly tried applying CIS to a fresh Debian with debian-cis, but there Traefik continues to work in Docker and I can run docker run -it traefik:v2.10 sh.