# cap_drop: ALL Breaks redis-alpine Startup

**Applies when:** adding Linux capability restrictions to Docker Compose services, especially Redis or any image that switches users at startup.

- `redis:7-alpine` entrypoint calls `gosu redis` to drop from root to the `redis` user.
- `gosu` requires `SETUID` and `SETGID` capabilities to switch users.
- `cap_drop: ALL` without `cap_add: [SETUID, SETGID]` prevents the user switch, causing immediate container exit.
- The container logs show no error -- it just exits silently with code 1.
- Decision (2026-03-24): removed all cap_drop/cap_add from both compose files. For a dev-only local stack, the complexity and debugging cost outweigh the security benefit. Revisit for production deployment with proper per-service capability analysis.