Add z
permissions option to compose mounts to accommodate SELinux hosts
#3276
Labels
🤖 aspect: dx
Concerns developers' experience with the codebase
🛠 goal: fix
Bug fix
🟨 priority: medium
Not blocking but should be addressed soon
🧱 stack: mgmt
Related to repo management and automations
Description
Hosts using SELinux (ex. RHEL based Linux distros like Fedora) need the
z
option added to bind mounts to configure file permissions for SELinux docker, otherwise things fail on file permissions issues inside the containers. More information about this is here: https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-labelWhile it's dangerous to indiscriminately use this, because we scope all bind mounts to the repository, it is perfectly safe to add
z
to all bind mounts. Folks running SELinux will be conscientious enough to check this. As precedent,pre-commit
also setsz
by default fordocker
anddocker_image
hooks.Fix
Add
z
to all bind mounts in docker-compose.yml.Additional context
I've been working around this by adding it temporarily locally and then removing it. The labels only need to be set once, so this has been manageable for the most part, but any time new files are added, I run into the issue again. Having it added in the compose file would make it so I and others using SELinux don't need to hack around this and remember what to do every time we get a confounding file permissions error locally.
The text was updated successfully, but these errors were encountered: