Skip to content

pass flag required with podman and selinux #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 1, 2025
Merged

pass flag required with podman and selinux #32

merged 1 commit into from
Aug 1, 2025
+1 −1

Conversation

glehmann
Copy link
Member

Signed-off-by: Gaëtan Lehmann [email protected]

stormi
stormi reviewed Feb 24, 2025
View reviewed changes
Copy link
Member

@stormi stormi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you explain the rationale behind the change in the commit message?

I've seen this :Z in the past and I think it was a workaround of an issue which was not the best solution and for which we found a better solution afterwards, but my memory might fail me.

CC @ydirson

@stormi stormi requested a review from ydirson February 24, 2025 18:19
@glehmann
Copy link
Member Author

with a default install of fedora 41 workstation, the container wasn't able to access the local directory mounted in the container.
This is the normal behavior with selinux — see containers/podman#3683

references:
https://docs.docker.com/reference/cli/docker/container/run/#volumes-from
https://docs.podman.io/en/v4.4/markdown/options/volumes-from.html
https://unix.stackexchange.com/questions/651198/podman-volume-mounts-when-to-use-the-z-or-z-suffix

@ydirson
Copy link

ydirson commented Apr 29, 2025

I've seen this :Z in the past and I think it was a workaround of an issue which was not the best solution and for which we found a better solution afterwards

That does not sound unlike the discussion we had when I added podman support, but that was likely about another mount modifier.

references: https://docs.docker.com/reference/cli/docker/container/run/#volumes-from https://docs.podman.io/en/v4.4/markdown/options/volumes-from.html

Curiously only Docker seem to mention capital "Z"

https://unix.stackexchange.com/questions/651198/podman-volume-mounts-when-to-use-the-z-or-z-suffix

That SE post makes me wonder why we would want that "private" behavior, we likely don't want any "last caller wins" situation. Lowercase "z" ought to be sufficient, right?

@stormi stormi requested review from stormi and removed request for stormi April 29, 2025 15:58
@glehmann
Copy link
Member Author

That SE post makes me wonder why we would want that "private" behavior, we likely don't want any "last caller wins" situation. Lowercase "z" ought to be sufficient, right?

z also works. It's just that it doesn't need to be shared, so the more restrictive one seemed more appropriate.
It doesn't make much difference for our use case.

@ydirson
Copy link

ydirson commented Apr 30, 2025

It doesn't make much difference for our use case.

The script can be run concurrently, to build several packages and/or an interactive sessions at the same time, and we don't want a new run to interfere with those previously launched but not terminated.

@psafont psafont mentioned this pull request Jul 8, 2025
Open
@glehmann @gduperrey @tescande
pass flag required with podman and selinux
Loading
Loading status checks…
2fd6336 
--security-opt label=disable is more performant that using :Z at the end
of the mount option.

Signed-off-by: Gaëtan Lehmann <[email protected]>
Co-authored-by: Gael Duperrey <[email protected]>
Co-authored-by: Thierry Escande <[email protected]>
@glehmann glehmann changed the title pass mount flag required with podman and selinux pass flag required with podman and selinux Aug 1, 2025
@glehmann glehmann merged commit 14eb61e into master Aug 1, 2025
4 checks passed
@glehmann glehmann deleted the podman-build branch August 1, 2025 13:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stormi stormi

@ydirson ydirson

@gduperrey gduperrey

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@glehmann @ydirson @stormi @gduperrey