Investigate: Docker rootless native overlay2 with SELinux #8
Description
Summary
Docker rootless mode with native overlay2 storage driver does not work when SELinux is enabled (even in permissive mode). Docker explicitly blocks this combination.
Background
- fuse-overlayfs has ~2x CPU overhead due to userspace/kernel context switches
- Native overlay2 would provide better performance for I/O-heavy workloads
- Kernel 5.13+ added rootless overlay support with SELinux fixes
- However, Docker/Moby intentionally disabled this in PR #42462
Error Message
level=error msg="overlay is not supported for Rootless with SELinux" storage-driver=overlay2
failed to start daemon: error initializing graphdriver: driver not supported: overlay2
Related Links
- Docker issue: rootless+overlay2 (kernel 5.11)+SELinux: mkdir /home/<USER>/.local/share/docker/overlay2/<CID>-init/merged/dev: permission denied. moby/moby#42333
- Docker PR that disabled it: [20.10 backport] rootless: avoid /run/xtables.lock EACCES on SELinux hosts ; disable overlay2 if running with SELinux ; fix "x509: certificate signed by unknown authority" on openSUSE Tumbleweed moby/moby#42462
- Podman rootless overlay support: https://www.redhat.com/en/blog/podman-rootless-overlay
Alternatives to Investigate
- Podman - Supports native overlay2 + SELinux in rootless mode via containers/storage library
- Disable SELinux - Not recommended
- Wait for Docker - May never be supported
Related Files
- Disabled playbook:
playbooks/imports/optional/experimental/play-docker-overlay2-migration.yml
Action Items
- Test if Podman with native overlay2 works on this system
- Evaluate effort to migrate CCY from Docker to Podman
- Monitor Docker/Moby for any changes to SELinux+overlay2 support