Docker and SELinux

Posted on

Mounting a volume from host

was very easy for docker.

Specifying whether the host volume should be readonly or read/writable was also very easy.

Sample command:

1
2
3
-v "$(pwd)"/target:/app
-v "$(pwd)"/target:/app:ro
-v "$(pwd)"/target:/app:rw

But when your mounting a volume from host with SELinux enabled, things can get a little more complex.

A quick search on Google will lead you to the following official documentation:

Docker: Use bind mounts

It simply tells you you can use z or Z option with -v flag with comma-separated list of options. Sounds great.

Sample command:

1
2
3
-v "$(pwd)"/target:/app:Z
-v "$(pwd)"/target:/app:Z,ro
-v "$(pwd)"/target:/app:Z,rw

Hooray! Problem solved! until the next time you recreate your container or you mount another container with same host folder…

Read the following line carefully:

  • The Z option indicates that the bind mount content is private and unshared.

When it says it is private and unshared that means it is private and unshared from the point of view of the current instance of container you’re running at the very moment.

If you prefer, you may, of course, manually run chcon to fix the problem, or you may want to use z option instead.

There are one more reason to avoid the Z option:

  • Use extreme caution with these options. Bind-mounting a system directory such as /home or /usr with the Z option renders your host machine inoperable and you may need to relabel the host machine files by hand.

Of course, as server administrator, you always have the option to disable SELinux once and for all.