Investigate: Docker rootless native overlay2 with SELinux

[LTSCommerce]

Summary

Docker rootless mode with native overlay2 storage driver does not work when SELinux is enabled (even in permissive mode). Docker explicitly blocks this combination.

Background

• fuse-overlayfs has ~2x CPU overhead due to userspace/kernel context switches
• Native overlay2 would provide better performance for I/O-heavy workloads
• Kernel 5.13+ added rootless overlay support with SELinux fixes
• However, Docker/Moby intentionally disabled this in PR #42462

Error Message

level=error msg="overlay is not supported for Rootless with SELinux" storage-driver=overlay2
failed to start daemon: error initializing graphdriver: driver not supported: overlay2

Related Links

• Docker issue: rootless+overlay2 (kernel 5.11)+SELinux: mkdir /home/<USER>/.local/share/docker/overlay2/<CID>-init/merged/dev: permission denied. moby/moby#42333
• Docker PR that disabled it: [20.10 backport] rootless: avoid /run/xtables.lock EACCES on SELinux hosts ; disable overlay2 if running with SELinux ; fix "x509: certificate signed by unknown authority" on openSUSE Tumbleweed  moby/moby#42462
• Podman rootless overlay support: https://www.redhat.com/en/blog/podman-rootless-overlay

Alternatives to Investigate

1. Podman - Supports native overlay2 + SELinux in rootless mode via containers/storage library
2. Disable SELinux - Not recommended
3. Wait for Docker - May never be supported

Related Files

• Disabled playbook: playbooks/imports/optional/experimental/play-docker-overlay2-migration.yml

Action Items

• Test if Podman with native overlay2 works on this system
• Evaluate effort to migrate CCY from Docker to Podman
• Monitor Docker/Moby for any changes to SELinux+overlay2 support