[Container-tools] vagrant-sshfs vs. Docker/SELinux
Tomas Nozicka
tnozicka at redhat.com
Wed Apr 13 10:17:53 UTC 2016
On Út, 2016-04-12 at 16:07 -0400, Dusty Mabe wrote:
> Well.. It has been implemented but not released, which is why it
> doesn't work in CentOS/Fedora. It is a pretty small patch if we
> wanted
> to carry it for now.
We should do something about that. We are saying [1] that users should
use :z/:Z with docker mounts, but it does not work in ADB/CDK on sshfs
folders which are the way to get persistent storage into the box and to
containers through volume mount. Even the workaround does not fix this
problem. You still end up with error:
Error response from daemon: operation not supported
But it is not critical if you implement the workaround in vagrant-sshfs
users just won't use the :z/:Z option so it will become more of a
consistency issue. But you are still loosing piece of functionality
which differentiates :Z from :z by restricting the mount to only one
container.
Although CentOS 7 has a prehistoric version of fuse-libs-2.9.2-
6.el7.x86_64 from Oct 1, 2012 the fix is not present even in the newest
libfuse version 2.9.5 released on Jan 14, 2016.
The patch is dated Aug 9, 2012 but it is merged only in master branch
which is for 3.x release and does not have any due date on github [2].
Patching seems like a way to go if we want to fix this.
[1] - http://www.projectatomic.io/blog/2015/06/using-volumes-with-docke
r-can-cause-problems-with-selinux/
[2] - https://github.com/libfuse/libfuse/milestones
>
> On a side note `setsebool -P virt_sandbox_use_fusefs 1` works so
> maybe
> I'll modify the vagrant-sshfs plugin to do that when performing these
> mounts.
I think you should modify vagrant-sshfs at least for now so we have a
partial workaround.
> Dusty
>
> _______________________________________________
> Container-tools mailing list
> Container-tools at redhat.com
> https://www.redhat.com/mailman/listinfo/container-tools
More information about the Container-tools
mailing list