[Container-tools] vagrant-sshfs vs. Docker/SELinux

Daniel J Walsh dwalsh at redhat.com
Wed Apr 13 17:58:59 UTC 2016 


On 04/13/2016 10:57 AM, Dusty Mabe wrote:
>
> On 04/13/2016 06:17 AM, Tomas Nozicka wrote:
>> On Út, 2016-04-12 at 16:07 -0400, Dusty Mabe wrote:
>>
>>
>>> Well.. It has been implemented but not released, which is why it
>>> doesn't work in CentOS/Fedora. It is a pretty small patch if we
>>> wanted
>>> to carry it for now.
>> We should do something about that. We are saying [1] that users should
>> use :z/:Z with docker mounts, but it does not work in ADB/CDK on sshfs
>> folders which are the way to get persistent storage into the box and to
>> containers through volume mount. Even the workaround does not fix this
>> problem. You still end up with error:
>> Error response from daemon: operation not supported
>>
>> But it is not critical if you implement the workaround in vagrant-sshfs
>> users just won't use the :z/:Z option so it will become more of a
>> consistency issue. But you are still loosing piece of functionality
>> which differentiates :Z from :z by restricting the mount to only one
>> container.
> So I just checked and the virtualbox shared folder implementation that
> uses the vb guest additions also uses fuse and thus also fails when
> trying to set :z/:Z on volume mounts. Looks like it is a problem for
> both implementations.
>
>> Although CentOS 7 has a prehistoric version of fuse-libs-2.9.2-
>> 6.el7.x86_64 from Oct 1, 2012 the fix is not present even in the newest
>> libfuse version 2.9.5 released on Jan 14, 2016.
>> The patch is dated Aug 9, 2012 but it is merged only in master branch
>> which is for 3.x release and does not have any due date on github [2].
>> Patching seems like a way to go if we want to fix this.
>>
> Even with this patch [1] I don't think we would solve the :z/:Z problem.
>
> Dan, Is that accurate?
>
> [1] https://github.com/libfuse/libfuse/commit/c52cafc81ced83fbd5cc7edf4ef5f7cb57b82729
Yes :z and :Z will still fail, but you would not need this patch. We 
could enhance the
:z to check if the mount point is already labeled, and then not attempt it.
>>> On a side note `setsebool -P virt_sandbox_use_fusefs 1` works so
>>> maybe
>>> I'll modify the vagrant-sshfs plugin to do that when performing these
>>> mounts.
>> I think you should modify vagrant-sshfs at least for now so we have a
>> partial workaround.
>>
> Tracker for considering adding this to vagrant-sshfs:
> https://github.com/dustymabe/vagrant-sshfs/issues/19

More information about the Container-tools mailing list