Capability problems with buster
I attempted to switch the chaperone-base image to pulling from the buster image, and that resulted in a newer set of buster packages (openvpn, and iproute2). It turns out that iproute2 has a new commit that makes it drop capabilities unless it is run by root. Supposedly, if it inherits the capabilities from something that is fork/execing it, then it will work, but when I tried to give the inherit caps to openvpn, I found that they were not set in the container, possibly due to something in the way podman does setuid()+setcap() makes it so that with setuid() the current capability set is empty.
So, in order to fix this, we need to either run the container as root, wait for podman to fix that issue, or try and figure out some other way around the capability issue.
There is an issue in Debian about this and I contacted the original author of the patch and he didn't have any idea.