<div dir="ltr"><div><div>We are trying to use GlusterFS storage for volumes mounted in Docker containers on Centos 7 with SELinux enforcing. By default, I get `Permission denied` errors when trying to write to a mounted volume:</div><div><br></div><div>```</div><div>sudo docker run -it --rm -v /mnt/container-volumes/:/log/:rw ubuntu bash -c 'echo date >> /log/volume-test.log'</div><div>bash: /log/volume-test.log: Permission denied</div><div>```</div><div><br></div><div>I thought we might be able to address this by changing the SELinux context on the GlusterFS directory (see <a href="http://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/">http://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/</a>), but we get the following errors:</div><div><br></div><div>```</div><div>$ sudo chcon -Rt svirt_sandbox_file_t /mnt/container-volumes/</div><div>chcon: failed to change context of ‘internal_op’ to ‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not supported</div><div>chcon: failed to change context of ‘.trashcan’ to ‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not supported</div><div>chcon: failed to change context of ‘/mnt/container-volumes/’ to ‘system_u:object_r:svirt_sandbox_file_t:s0’: Operation not supported</div><div>```</div><div><br></div><div>Note that the `:z` Docker volume option also generates the same error:</div><div><br></div><div>```</div><div>sudo docker run -it --rm -v /mnt/container-volumes/:/log/:z ubuntu bash -c 'echo date >> /log/volume-test.log'</div><div>Error response from daemon: operation not supported</div><div>```</div><div><br></div><div>Next, I tried setting the context on the GlusterFS mount:</div><div><br></div><div>```</div><div>$ sudo mount -t glusterfs fs.glusterfs.service.consul:/container-volumes /mnt/container-volumes -o context="system_u:object_r:svirt_sandbox_file_t:s0"</div><div>Invalid option: context</div><div>```</div><div><br></div><div>This looks similar to the question asked in <a href="http://www.gluster.org/pipermail/gluster-users.old/2015-January/020014.html">http://www.gluster.org/pipermail/gluster-users.old/2015-January/020014.html</a> but it was never answered.</div><div><br></div><div>I looked around in the docs and on the mailing list archives but couldn't find a way to solve this. Does anyone know how we can configure GlusterFS so that we can change the SELinux context? Is this supported? Am I missing any steps? Is there any other way of tackling this problem (short of setting SELinux to permissive mode)?</div><div><br></div><div>I'd appreciate any help! Let me know if there is any other information I could provide.</div><div><br></div><div>CentOS Linux release 7.1.1503</div><div>glusterfs 3.7.6</div><div><br></div><div>(For the full context, you can see this issue: <a href="https://github.com/CiscoCloud/microservices-infrastructure/issues/867#issuecomment-159689603">https://github.com/CiscoCloud/microservices-infrastructure/issues/867#issuecomment-159689603</a>)</div><div><br></div><div>Thanks!</div><div>Ryan </div></div>
</div>