extern/podman-compose
1
0
Fork 1
mirror of https://github.com/containers/podman-compose.git synced 2025-08-14 07:48:47 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add relabel option to secrets

Browse Source 
On selinux enabled system, the secrets cannot be read without proper
relabeling or correct policy being set.

This patch enables user to instruc podman-copose to use :z or :Z podman
volume options to make podman relabel the file under bind-mount.

More info here:
https://unix.stackexchange.com/questions/728801/host-wide-consequences-of-setting-selinux-z-z-option-on-container-bind-mounts?rq=1

Signed-off-by: Jaroslav Henner <1187265+jarovo@users.noreply.github.com>
This commit is contained in:
Jaroslav Henner
2025-05-19 00:16:04 +02:00
parent c26e188991
commit 82d7622c45
4 changed files with 42 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
docs/Extensions.md
View File

@ -27,6 +27,22 @@ services:
For explanations of these extensions, please refer to the [Podman Documentation](https://docs.podman.io/).
## Secrets
The following extension keys are available under `secret` configuration:
x-podman.relabel - Configure SELinux relabeling
For example, the following configures custom-secret to use mount with private and unshared content.
Only the current container can use a private volume.
```yml
secrets:
custom-secret:
x-podman.relabel: Z
```
For explanations of these extensions, please refer to the [podman-run --volume documentation](https://docs.podman.io/en/latest/markdown/podman-run.1.html#volume-v-source-volume-host-dir-container-dir-options)).
## Network management
The following extension keys are available under network configuration: