Closed adjam closed 4 months ago
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.
Sorry, I think this is a bit too obscure. These samples are intended to get people started, I don't think that supporting selinux out of the box is within the scope.
The Issue
When running under
podman-compose
and rootless podman on a Linux system with selinux enabled, thetemporal
container does not start because thedynamicconfig
mount fails. This leads to a "500" error page when accessing http://localhost:8080Why?
When selinux is enabled on the host system, bind mounts need to be relabeled or the mount fails and the container with the mount will not start.
The
Z
flag modifies the selinux label so the podman process can access the bind mounted directory. The option has no effect when running without selinux enabled. reference: https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-labelsee also: https://docs.podman.io/en/latest/markdown/podman-run.1.html#volume-v-source-volume-host-dir-container-dir-options
There are other ways to enable the composed containers to run on an selinux-enabled host system with rootless podman; if you don't want to take on a change like this, it might help others to indicate the system setup options that will enable this application in the documentation.
Change was tested with docker 24.0.5 on Unbuntu 23.04 with selinux disabled, and Fedora 38 with podman 4.7.0 and podman-compose 1.0.6, and selinux enabled. Both led to a usable page at http://localhost:8080, but I can't vouch for the resulting system working in all aspects.
(sorry, unable to create issues so this is how I've manged to do it)