Make docker-compose SElinux-compatible #3986
Conversation
balanza
left a comment
balanza
left a comment
There was a problem hiding this comment.
LGTM
I leave the final decision to you. My opinions are:
- disable SELinux labelling for node_exporter
- afaik
:zis not required for named volumes as they are managed by the container manager itself
| - ./container_fixtures/keycloak/realm.json:/opt/keycloak/data/import/realm.json:ro,z | ||
| node_exporter: | ||
| image: docker.io/prom/node-exporter:v1.7.0 | ||
| volumes: |
There was a problem hiding this comment.
This should disable SELinux labeling for this service (I only found Podman docs about it https://docs.podman.io/en/v4.6.0/markdown/options/security-opt.html)
| volumes: | |
| security_opt: | |
| - label:disable | |
| volumes: |
docker-compose.yaml
Outdated
| - prometheus_data:/prometheus | ||
| - ./prometheus-dev-config.yml:/etc/prometheus/prometheus.yml:z | ||
| - ./container_fixtures/prometheus:/container_init:z | ||
| - prometheus_data:/prometheus:z |
There was a problem hiding this comment.
afaik this is not needed for named volumes
| - prometheus_data:/prometheus:z | |
| - prometheus_data:/prometheus |
There was a problem hiding this comment.
This is what keeps me from merging this, I want to test if :z is actually needed for named volumes.
docker-compose.yaml
Outdated
| - pg_data:/var/lib/postgresql/data | ||
| - ./container_fixtures/keycloak/init_keycloak_db.sh:/docker-entrypoint-initdb.d/init_keycloak_db.sh | ||
| - ./container_fixtures/postgres/init_wanda_db.sh:/docker-entrypoint-initdb.d/init_wanda_db.sh:ro | ||
| - pg_data:/var/lib/postgresql/data:z |
There was a problem hiding this comment.
named volume
| - pg_data:/var/lib/postgresql/data:z | |
| - pg_data:/var/lib/postgresql/data |
docker-compose.yaml
Outdated
| image: ghcr.io/axllent/mailpit:v1.24 | ||
| volumes: | ||
| - mailpit:/data | ||
| - mailpit:/data:z |
There was a problem hiding this comment.
named volumes
| - mailpit:/data:z | |
| - mailpit:/data |
nelsonkopliku
left a comment
nelsonkopliku
left a comment
There was a problem hiding this comment.
Seems to be working also in my macos 👀
arbulu89
left a comment
arbulu89
left a comment
There was a problem hiding this comment.
I'm having the next warning message:
WARN[0000] mount of type `volume` should not define `bind` option
WARN[0000] mount of type `volume` should not define `bind` option
WARN[0000] mount of type `volume` should not define `bind` option
I'm not sure if this is fixable. Just writing it here to see if anyone else having the same thing
Actually I have the same @arbulu89 |
gagandeepb
left a comment
gagandeepb
left a comment
There was a problem hiding this comment.
Looks fine in my development env. It is a no-op for me.
This shouldn't apply for them
skrech
force-pushed
the
docker-comp-selinux
branch
from
eb763da to
b8c68d7
Compare
|
@balanza seems to be right, |
Let me re-test this! |
|
Leaving node-exporter for now like this, maybe in the future we might try what @balanza suggested, if there are any problems. Merging... |
5 participants
Description
Adds
:zoption to all the mounts in thedocker-compose.yamlfile. This should be a no-op for non-SElinux systems.Request for comment: what do you think should happen for
node_exporter? It's bind-mounting some OS-level dirs that, IMO, shouldn't (probably can't even) be re-labeled.Tests
Local smoke test of running Trento Web on my SElinux-enabled Leap 16.