docker-compose :Z not supported in volume mounts

[surajssd]

Trying to convert docker-compose.yml file, kompose cannot parse a volume format that looks like "HOSTPATH:CONTAINERPATH:Z".

To change the label in the container context, you can add either of two suffixes :z or :Z to the volume mount. These suffixes tell Docker to relabel file objects on the shared volumes. The z option tells Docker that two containers share the volume content. As a result, Docker labels the content with a shared content label. Shared volume labels allow all containers to read/write content. The Z option tells Docker to label the content with a private unshared label. Only the current container can use a private volume.

Above info source: https://docs.docker.com/engine/reference/commandline/run/#/mount-volumes-from-container-volumes-from

• docker-compose.yml can be found here: https://pagure.io/webauthinfra/raw/master/f/docker-compose.yml
• repo link of above docker-compose.yml https://pagure.io/webauthinfra (you can git clone on https://pagure.io/webauthinfra)

When converting kompose gives warnings like:

$ kompose convert --stdout -y
WARN[0000] Unsupported key build - ignoring             
WARN[0000] Unsupported key domainname - ignoring        
WARN[0000] Unsupported key hostname - ignoring          
WARN[0000] Unsupported key stop_signal - ignoring       
WARN[0000] [www] Service cannot be created because of missing port. 
WARN[0000] Failed to configure container volume: invalid volume format: ./www-data:/data:Z
WARN[0000] Volume mount on the host "/sys/fs/cgroup" isn't supported - ignoring path on the host 
WARN[0000] [app] Service cannot be created because of missing port. 
WARN[0000] Failed to configure container volume: invalid volume format: ./app-data:/data:Z 
WARN[0000] Failed to configure container volume: invalid volume format: ./client-data:/data:Z 
WARN[0000] Volume mount on the host "/sys/fs/cgroup" isn't supported - ignoring path on the host 
WARN[0000] [ipa] Service cannot be created because of missing port. 
WARN[0000] Failed to configure container volume: invalid volume format: ./ipa-data:/data:Z 
WARN[0000] Volume mount on the host "/sys/fs/cgroup" isn't supported - ignoring path on the host 
apiVersion: v1
items:
- apiVersion: v1
[SNIP]

so warnings that show :Z is not supported are

WARN[0000] Failed to configure container volume: invalid volume format: ./www-data:/data:Z

Found this issue from openshift/origin#10925

[ngtuna]

I'm considering if :z and :Z are common cases. What are corresponding options in k8s ?

[ankon]

These somehow would need to get mapped into security context-y things: http://kubernetes.io/docs/user-guide/security-context/

As that seems quite complex, maybe a first step could be to ignore the option with a warning?

In my specific case: I'm trying to use kompose to do a migration from docker-compose to kubernetes, and my first goal is to get things running inside minikube, which doesn't seem to provide SELinux things anyways. I used sed now to drop the ':z', and at least the error message is a lot nicer now:

WARN[0000] Volume mount on the host ".........." isn't supported - ignoring path on the host 

[kadel]

Agree with @ankon here.
First step here should be just ignoring :z and :Z and do same what we do with regular volume mounts without selinux.