[Container-tools] vagrant-sshfs vs. Docker/SELinux
Dusty Mabe
dusty at dustymabe.com
Wed Apr 13 14:57:34 UTC 2016
On 04/13/2016 06:17 AM, Tomas Nozicka wrote:
> On Út, 2016-04-12 at 16:07 -0400, Dusty Mabe wrote:
>
>
>> Well.. It has been implemented but not released, which is why it
>> doesn't work in CentOS/Fedora. It is a pretty small patch if we
>> wanted
>> to carry it for now.
> We should do something about that. We are saying [1] that users should
> use :z/:Z with docker mounts, but it does not work in ADB/CDK on sshfs
> folders which are the way to get persistent storage into the box and to
> containers through volume mount. Even the workaround does not fix this
> problem. You still end up with error:
> Error response from daemon: operation not supported
>
> But it is not critical if you implement the workaround in vagrant-sshfs
> users just won't use the :z/:Z option so it will become more of a
> consistency issue. But you are still loosing piece of functionality
> which differentiates :Z from :z by restricting the mount to only one
> container.
So I just checked and the virtualbox shared folder implementation that
uses the vb guest additions also uses fuse and thus also fails when
trying to set :z/:Z on volume mounts. Looks like it is a problem for
both implementations.
>
> Although CentOS 7 has a prehistoric version of fuse-libs-2.9.2-
> 6.el7.x86_64 from Oct 1, 2012 the fix is not present even in the newest
> libfuse version 2.9.5 released on Jan 14, 2016.
> The patch is dated Aug 9, 2012 but it is merged only in master branch
> which is for 3.x release and does not have any due date on github [2].
> Patching seems like a way to go if we want to fix this.
>
Even with this patch [1] I don't think we would solve the :z/:Z problem.
Dan, Is that accurate?
[1] https://github.com/libfuse/libfuse/commit/c52cafc81ced83fbd5cc7edf4ef5f7cb57b82729
>>
>> On a side note `setsebool -P virt_sandbox_use_fusefs 1` works so
>> maybe
>> I'll modify the vagrant-sshfs plugin to do that when performing these
>> mounts.
> I think you should modify vagrant-sshfs at least for now so we have a
> partial workaround.
>
Tracker for considering adding this to vagrant-sshfs:
https://github.com/dustymabe/vagrant-sshfs/issues/19
More information about the Container-tools
mailing list