Named volume creation with volume path on ecryptfs fails

[imaspeer]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Creating a named volume with volume path on an ecryptfs filesystem fails with operation not supported.

Steps to reproduce the issue:

1. Start with volume path on an ecryptfs filesystem and selinux enabled

2. Run podman volume create bug

Describe the results you received:

The command returns 125 and prints Error: error setting selinux label for /home/aspeer/.local/share/containers/storage/volumes/bug/_data to "system_u:object_r:container_file_t:s0:c980,c892" as shared: failed to set file label on home/aspeer/.local/share/containers/storage/volumes/bug/_data: operation not supported.

The volume is not created.

An empty bug/_data directory is left behind in the volume path.

Describe the results you expected:

The volume is created without error.

Additional information you deem important (e.g. issue happens only occasionally):

This only happens when creating a volume. Mounting a directory from the host in a container works fine, even if the source directory is on ecryptfs.

Output of podman version:

Version:            1.8.0
RemoteAPI Version:  1
Go Version:         go1.13.6
OS/Arch:            linux/amd64

Output of podman info --debug:

debug:
  compiler: gc
  git commit: ""
  go version: go1.13.6
  podman version: 1.8.0
host:
  BuildahVersion: 1.13.1
  CgroupVersion: v2
  Conmon:
    package: conmon-2.0.9-2.fc31.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.9, commit: 7d46f3e7711aa3578488284ae2f98b447658f086'
  Distribution:
    distribution: fedora
    version: "31"
  IDMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  MemFree: 176324608
  MemTotal: 8250556416
  OCIRuntime:
    name: crun
    package: crun-0.12.1-1.fc31.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.12.1
      commit: df5f2b2369b3d9f36d175e1183b26e5cee55dd0a
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  SwapFree: 18754752512
  SwapTotal: 20478160896
  arch: amd64
  cpus: 8
  eventlogger: journald
  hostname: romulus
  kernel: 5.4.13-201.fc31.x86_64
  os: linux
  rootless: true
  slirp4netns:
    Executable: /usr/bin/slirp4netns
    Package: slirp4netns-0.4.0-20.1.dev.gitbbd6f25.fc31.x86_64
    Version: |-
      slirp4netns version 0.4.0-beta.3+dev
      commit: bbd6f25c70d5db2a1cd3bfb0416a8db99a75ed7e
  uptime: 78h 55m 16.83s (Approximately 3.25 days)
registries:
  search:
  - docker.io
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - quay.io
store:
  ConfigFile: /home/aspeer/.config/containers/storage.conf
  ContainerStore:
    number: 2
  GraphDriverName: overlay
  GraphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-0.7.5-2.fc31.x86_64
      Version: |-
        fusermount3 version: 3.6.2
        fuse-overlayfs: version 0.7.5
        FUSE library version 3.6.2
        using FUSE kernel interface version 7.29
  GraphRoot: /home/aspeer/.local/share/containers/storage
  GraphStatus:
    Backing Filesystem: ecryptfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:
    number: 2
  RunRoot: /run/user/1000
  VolumePath: /home/aspeer/.local/share/containers/storage/volumes

Package info (e.g. output of rpm -q podman or apt list podman):

podman-1.8.0-2.fc31.x86_64

Additional environment details (AWS, VirtualBox, physical, etc.):
Physical machine, fedora 31 with linux 5.4.13

[mheon]

I'm guessing that ecryptfs does not have SELinux support?

@rhatdan Anything we can do about this? I assume we can't mount into the container without labelling support in the FS?

[rhatdan]

We are supposed to ignore those errors an hope for the best.

[simonsigre]

Any users running fedora core 31 can upgrade the fixed packages from rawhide

sudo dnf install fedora-repos-rawhide
sudo dnf upgrade --enablerepo rawhide podman* --nogpgcheck

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[rhatdan]

@imaspeer Do we still have this issue with the latest packages?

[rhatdan]

No information, reopen if this is still an issue.