@@ -58,7 +58,10 @@ services:
5858 fi
5959 wait $$SERVER_PID
6060volumes :
61- - ./puter/data/valkey:/data
61+ # `:z` is an SELinux relabel hint for Fedora/RHEL hosts (no-op
62+ # everywhere else) — without it those distros deny container
63+ # access to the bind mount and the service loops on EACCES.
64+ - ./puter/data/valkey:/data:z
6265 healthcheck :
6366 test :
6467 ["CMD-SHELL", "valkey-cli -p 6379 cluster info | grep -q cluster_state:ok"]
@@ -77,7 +80,7 @@ services:
7780 MARIADB_USER : ${MARIADB_USER:-puter}
7881 MARIADB_PASSWORD : ${MARIADB_PASSWORD:-puter-change-me}
7982 volumes :
80- - ./puter/data/mariadb:/var/lib/mysql
83+ - ./puter/data/mariadb:/var/lib/mysql:z
8184 healthcheck :
8285 # `healthcheck.sh` ships with the mariadb image; --connect verifies
8386 # the server is accepting auth, not just listening on the socket.
@@ -102,7 +105,7 @@ services:
102105 - " -dbPath"
103106 - " /home/dynamodblocal/data"
104107 volumes :
105- - ./puter/data/dynamo:/home/dynamodblocal/data
108+ - ./puter/data/dynamo:/home/dynamodblocal/data:z
106109
107110 s3 :
108111 # RustFS — S3-compatible object storage. Drop-in alternative:
@@ -114,7 +117,7 @@ services:
114117 RUSTFS_ACCESS_KEY : ${S3_ACCESS_KEY:-puter}
115118 RUSTFS_SECRET_KEY : ${S3_SECRET_KEY:-puter-secret-change-me}
116119 volumes :
117- - ./puter/data/s3:/data
120+ - ./puter/data/s3:/data:z
118121 # Internal-only — browsers reach RustFS via nginx (`s3.<domain>`),
119122 # which preserves the Host header for S3 signature validation and
120123 # rides the same TLS termination as Puter. Uncomment to also expose
@@ -180,7 +183,7 @@ services:
180183 container_name : puter-ollama
181184 restart : unless-stopped
182185 volumes :
183- - ./puter/data/ollama:/root/.ollama
186+ - ./puter/data/ollama:/root/.ollama:z
184187 # Uncomment to expose Ollama directly on the host (`localhost:11434`)
185188 # for `ollama` CLI / OpenAI-API compatible tools. Internal-only by default.
186189 # ports:
@@ -257,9 +260,9 @@ services:
257260 PGID : 1000
258261 volumes :
259262 # Drop your config.json here — see selfhosted/full-stack.md.
260- - ./puter/config:/etc/puter
263+ - ./puter/config:/etc/puter:z
261264 # Persistent runtime data (anything your config points at /var/puter).
262- - ./puter/data/puter:/var/puter
265+ - ./puter/data/puter:/var/puter:z
263266 healthcheck :
264267 test : wget --no-verbose --tries=1 --spider http://puter.localhost:4100/test || exit 1
265268 interval : 30s
@@ -279,9 +282,9 @@ services:
279282 # Uncomment when you enable TLS in nginx/nginx.conf:
280283 # - "${HTTPS_PORT:-443}:443"
281284 volumes :
282- - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
285+ - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro,z
283286 # TLS certs (fullchain.pem + privkey.pem). Read-only inside.
284- - ./puter/tls:/etc/nginx/tls:ro
287+ - ./puter/tls:/etc/nginx/tls:ro,z
285288 healthcheck :
286289 test : ["CMD-SHELL", "wget -qO- --tries=1 --timeout=2 http://localhost/ || exit 1"]
287290 interval : 10s
0 commit comments