When I was reading the official document about “bind mounts”, I noticed that it says, " When using bind mounts with services, selinux labels (:Z and :z ), as well as :ro are ignored."
I feel the words here are a bit vague. It says “services” and both docker swarm and docker compose has “service”.
So I followed the link to the GitHub issue. I read through it and some other related issues on GitHub. Looks like they only talke about swarm, stacks.
And I also tried myself. I ran a container with docker compose, which has a bind mount, with volume lable ro.
With the ro flag, my app failed to create files on the path while once I remove the ro flag, my app is able to write and create files.
Looks like the issue only affects docker swarm but not docker compose? Is it correct?
Indeed ambiguous, but it would make sense that services, actually refer to swarm services. If a swarm stack is deployed using docker stack deploy or create by docker service create, these services will be listed by docker service ls. Services from a compose project are not listed by docker service ls.
Services from a compose project create containers that have the same feature set as containers started by docker run. Swarm services on the other hand are monitored by the cluster scheduler, which schedules service tasks on nodes that meet the deployment contraints, which then create the containers. Containers created by tasks have limitations compared to “plain containers” - the compose file specification indicates when a feature is not available for swarm deployments.