From 5edfbf24084893449ae469dabaa94db8c5b14f4b Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Wed, 2 Jul 2025 09:13:09 -0500 Subject: [PATCH] r/minio: Do not mount storage volume with :Z The `:Z` flag tells the container runtime to run `chcon` recursively on the specified path, in order to ensure that the files are accessible inside the container. For a very large volume like the MinIO storage directory, this can take an extremely long time. It's really only necessary on the first startup anyway, because the context won't change after that. To avoid spending a bunch of time, we can set the context correctly when we create the directory, and then not worry about it after that. --- roles/minio/tasks/deploy.yml | 1 + roles/minio/templates/minio.container.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/minio/tasks/deploy.yml b/roles/minio/tasks/deploy.yml index 0b75b2a..5216671 100644 --- a/roles/minio/tasks/deploy.yml +++ b/roles/minio/tasks/deploy.yml @@ -34,6 +34,7 @@ group: minio mode: u=rwx,go= state: directory + setype: container_file_t tags: - datadir diff --git a/roles/minio/templates/minio.container.j2 b/roles/minio/templates/minio.container.j2 index 5d22c29..c5497c9 100644 --- a/roles/minio/templates/minio.container.j2 +++ b/roles/minio/templates/minio.container.j2 @@ -10,7 +10,7 @@ Exec=server {% if minio_address|d %}--address {{ minio_address }} {% endif %}/da User=224 Group=224 EnvironmentFile=/etc/sysconfig/minio -Volume={{ minio_storage_path }}:/data:rw,Z +Volume={{ minio_storage_path }}:/data:rw Volume=/etc/minio/certs:/certs:ro,z Network=host NoNewPrivileges=yes