Hello folks. I need your feedback please on SELinux fixes [0] (or rather workarounds) for containerized undercloud feature, which is experimental in Pike. [TL;DR] The problem I'm trying to solve is primarily allowing TripleO users to follow the guide [1] w/o telling them "please disable SELinux". Especially, given the note "The undercloud is intended to work correctly with SELinux enforcing, and cannot be installed to a system with SELinux disabled". I understand that putting "chcon -Rt svirt_sandbox_file_t -l s0" (see [2]) to all of the host paths bind-mounted into containers is not secure, and from SELinux perspective allows everything to all containers. That could be a first step for docker volumes working w/o shutting down SELinux on *hosts* though. I plan to use the same approach for the t-h-t docker/services host-prep tasks as well. Why not using docker's :z :Z directly? IIUC, it doesn't allow combine with other mount flags, like :ro:z won't work. I look forward for better solutions and ideas! [0] https://review.openstack.org/#/q/topic:bug/1682179 [1] https://docs.openstack.org/tripleo-docs/latest/install/containers_deployment/undercloud.html [2] https://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/ -- Best regards, Bogdan Dobrelya, Irc #bogdando