In OSP we bind-mount host paths into containers. This was done, in part, to ease the transition from non-containerized to containerised services in the OSP10 to OSP13 upgrade.

These bind-mounts have selinux context conflicts between the host and container and therefore require a number of things to be in place:

1. We need to use the :z flag on the bind-mount.
2. We have to have deployment tasks to correct the bind-mounts selinux context that need to run whenever a system autorelabel is done.
3. The pacemaker bundles need to ensure that they have the :z flag.

The trouble with this is that we have a constant conflict between the system and the container context. For example, we cannot set /var/lib/haproxy to container_file_t because a system/core policy already sets it to haproxy_var_lib_t.

We need to figure out a way to resolve these conflicts so that we eliminate the race-condition that occurs during upgrades (which involve a relabel when doing the leapp) and may occur by mistake when a deployer relabels a folder.

Continuing to maintain our current implementation is causing upgrade failures, bugs, a growing number of knowledgebase articles and confusion. It is a growing technical debt which we can eliminate by moving our container usage to something more standard.