I think this is a better fix then #20829

Since it will fail if the user requests a relabel. Should fix the rexray problem.

We are automatically labeling local volumes, but if the user uses other different volumes, he should request relabeling. Then we can fail if the volume does not support the labeling.

also ping @clintonskitson

I tried above patch above, seems it could not work. Failed with following error

$ sudo ./docker-1.11.0-dev run -ti --volume-driver=rexray -v testtwo:/test busybox
permission denied
./docker-1.11.0-dev: Error response from daemon: Container command could not be invoked..

And docker logs are

Mar 02 09:24:17 sw-s5lcdlw5ktj-0-jserl73ppvan-swarm-node-lscjkrmyn6rx.novalocal docker-1.11.0-dev[2005]: time="2016-03-02T09:24:17.166285982Z" level=debug msg="Closing buffered stdin pipe"
Mar 02 09:24:16 sw-s5lcdlw5ktj-0-jserl73ppvan-swarm-node-lscjkrmyn6rx.novalocal docker-1.11.0-dev[2005]: time="2016-03-02T09:24:16.971304507Z" level=error msg="Handler for POST /v1.23/containers/b63e68846a4dc663bbcfa0e5efb8f336afc7d5c0e491c75c782decf108e0a802/start returned error: Container command could not be invoked."
Mar 02 09:24:15 sw-s5lcdlw5ktj-0-jserl73ppvan-swarm-node-lscjkrmyn6rx.novalocal docker-1.11.0-dev[2005]: time="2016-03-02T09:24:15.150251640Z" level=error msg="Error unmounting container b63e68846a4dc663bbcfa0e5efb8f336afc7d5c0e491c75c782decf108e0a802: not mounted"
Mar 02 09:24:15 sw-s5lcdlw5ktj-0-jserl73ppvan-swarm-node-lscjkrmyn6rx.novalocal docker-1.11.0-dev[2005]: time="2016-03-02T09:24:15.148944616Z" level=warning msg="failed to cleanup ipc mounts:\nfailed to umount /var/lib/docker/containers/b63e68846a4dc663bbcfa0e5efb8f336afc7d5c0e491c75c782decf108e0a802/shm: invalid argument"
Mar 02 09:24:15 sw-s5lcdlw5ktj-0-jserl73ppvan-swarm-node-lscjkrmyn6rx.novalocal docker-1.11.0-dev[2005]: time="2016-03-02T09:24:15.134551045Z" level=error msg="error locating sandbox id 7f3371375e5711701ad91e76eafd0ad82fb30c42ee2574d36b41b4bf5356155e: sandbox 7f3371375e5711701ad91e76eafd0ad82fb30c42ee2574d36b41b4bf5356155e not found"
Mar 02 09:24:08 sw-s5lcdlw5ktj-0-jserl73ppvan-swarm-node-lscjkrmyn6rx.novalocal docker-1.11.0-dev[2005]: time="2016-03-02T09:24:08.140166342Z" level=debug msg="devmapper: UnmountDevice(hash=5a0cb8fafadc7a8861896e510f5132fde57bcd73b7766eebf60b3e173fda249a) END"
Mar 02 09:24:08 sw-s5lcdlw5ktj-0-jserl73ppvan-swarm-node-lscjkrmyn6rx.novalocal docker

@HackToday Could you print out the name of the bind.Driver and the bind.Mode before the Requires Relabel check?

@rhatdan I would have access environment tomorrow, right now, at home, I could not access that. :(

@HackToday Ok, this patch is supposed to prevent all non local volumes from doing the relabel, unless the user requests it. The code above adds 'z" to the bind.Mode if the Driver is local which forces the relabel. In the current code, the relabel is forced on all volume drivers which I believe is causing the issue with rexray, and other volumes that do not support XATTR (SELinux) labels.

I like this change better since we will still get failures if a user tries to mount a volume like rexray and specifies :Z or :z

@rhatdan Confirmed, this patch works as well.

Excellent, I think this is the patch that should be merged into docker.

This fixes #18005 ?

Yes it should.

hi @rhatdan as another issue #20855 which prevent me from verify your fix here, But I think if coreos works, it should work with atomic, Right?

Also, for our cases, since this fix can only be merged in 1.11.0 or 1.10.*, But atomic not integrated such new version, Is it possible to have some work-around for atomic ? (means, still enable selinux, but need user do something when run containers with volume driver)

If this gets merged into 1.11.0 we will cherrypick it into our docker-1.10 for Fedora and RHEL, or if it ends up in 1.10.3 we would upgrade to this.

ping @cpuguy83 @calavera

LGTM

:+1 looks good.

Nice.

@rhatdan is this patch merged in 1.10.3?

@miry yes; just follow the link above: #21011

For some reason I need to run in privileged to access the folder.

$ docker run -ti --volume-driver=rexray -v testtwo:/test:rw busybox              
/ # touch /test/1
touch: /test/1: Permission denied 

$ docker run --privileged -ti --volume-driver=rexray -v testtwo:/test:rw busybox
/ # touch /test/1
/ #

permissions of mounted volume:

drwx------ 2 root root 4096 Aug 17 08:54 test

@miry could you open an issue for that? Better than discussing it on a merged PR; make sure to provide info about your setup (at least docker version and docker info)