#Docker volumes and Selinux

By | July 7, 2017

When running complex environments on Docker on Linux again we face the mighty selinux.

There are plenty of selinux alerts generated when I start my environment when the host machines have selinux enabled and volumes are used by the containers.
Setting selinux permissions is hard and tedious and many people just prefer to disable it.

Recently Docker finally merged a patch in docker-1.7 that takes care of selinux permissions for you.
Docker (version 1.7 and up) now support for “z” and “Z” as options on the volume mounts (-v).

Using z

docker run -v /var/db:/var/db:z rhel7 /bin/sh

The above will automatically do:

chcon -Rt svirt_sandbox_file_t /var/db

Using Z

docker run -v /var/db:/var/db:Z rhel7 /bin/sh

This will label the content inside the container with the exact MCS label that the container will run with, basically it runs:

chcon -Rt svirt_sandbox_file_t -l s0:c1,c2 /var/db

where s0:c1,c2 differs for each container.

See original post for more details Using Volumes with Docker can Cause Problems with SELinux

Using the Z parameter in docker-compose

The Z parameter can be used then in docker-compose files to give permissions to data volumes or to configuration files:

.... 
 oracle:
    build: ./db-server
    volumes:
         - /home/docker-volumes/oracle:/u01/app/oracle:Z
    ports:
         - "1521:1521"
         - "8081:8080"

  logstash:
    build: ./logstash
    volumes:
         - ./logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml:Z
         - ./logstash/pipeline:/usr/share/logstash/pipeline:Z
    ports:
         - "5000:5000"
    environment:
         LS_JAVA_OPTS: "-Xmx256m -Xms256m"
    depends_on:
         - elasticsearch
....
Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.