Docker volumes using the :z or :Z flag don't create the folder on the dockerd host

[rhatdan]

I have a bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1274210 that is reporting that SELinux volume options "z" & "Z" do not act the same way as "ro", "rw". In that if you specify a non existent directory
in the docker run/create command, docker creates the directory when using "ro", "rw", while it fails with an error in the "z", "Z" case.

I believe that creating the directory in the case of bind mounts is a bug, since this could lead to unexpected behaviour and even leave users confused when they have a simple typo.

docker run -v /var/lib/mariedb:/var/lib/mariadb ...

For example could potentially end up with a directory on the host that was not expected. Forcing the user to do a mkdir /var/lib/mariadb does not seem to onerous.

If the "ro"/"rw" behaviour is the expected, I will submit a patch to fix the SELinux issues.

[rhatdan]

docker info

Containers: 3
Images: 7
Server Version: 1.9.0-dev
Storage Driver: overlay
Backing Filesystem: extfs
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 4.3.0-0.rc5.git1.1.fc24.x86_64
Operating System: Fedora 24 (Workstation Edition) (containerized)
CPUs: 4
Total Memory: 7.478 GiB
Name: dhcp-10-19-62-196.boston.devel.redhat.com
ID: QCJD:BQVE:IUG3:CFBA:4EKW:A3RD:JUR2:7VOG:XWP6:2ELL:KMIY:E5JM

docker version

Client:
Version: 1.9.0-dev
API version: 1.22
Go version: go1.5.1
Git commit: 856f5fd
Built: Tue Oct 20 15:49:16 UTC 2015
OS/Arch: linux/amd64

Server:
Version: 1.9.0-dev
API version: 1.22
Go version: go1.5.1
Git commit: 856f5fd
Built: Tue Oct 20 15:49:16 UTC 2015
OS/Arch: linux/amd64
uname -a

Linux dhcp-10-19-62-196.boston.devel.redhat.com 4.3.0-0.rc5.git1.1.fc24.x86_64 #1 SMP Wed Oct 14 15:47:40 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

[thaJeztah]

@rhatdan see #16349, which marks the "auto creation" of directories on the host as deprecated

[rhatdan]

Ok I will close my bug as not a bug and can close this issue.

[cpuguy83]

Note that it is unintentional that this is happening, I'm not sure why it is at the moment.. maybe Relabel is called before the dir is created?
Is this a problem since 1.7?

[runcom]

I'm reopening this since we still have this issue with selinux z and Z and since #21666

[thaJeztah]

@runcom do you have an idea how to solve it as well? Is it safe to put it on a milestone already?

[runcom]

@thaJeztah not sure, @rhatdan might have an idea better than me on solving this one.

[rhatdan]

Oops I think this is a different issue

[rhatdan]

Since this was brought back, I have submitted a patch to create the directory if it does not exist and the user specified a relabel.