fix: disable label separation when binding socket

[abn]

This change ensures that when mounting unix sockets for enabling dind access, security opt label=disable is set for the container.

Ref: https://docs.podman.io/en/latest/markdown/podman-system-service.1.html#access-the-unix-socket-from-inside-a-container

See-also: supabase/supabase#33603

What kind of change does this PR introduce?

Bug fix

What is the current behavior?

At present when using rootless podman with SELinux enabled, supbase start command fails at health check step.

Relates-to: #3099

2025-02-15T15:52:11.439823Z ERROR source{component_kind="source" component_id=docker_host component_type=docker_logs component_name=docker_host}: vector::sources::docker_logs: Listing currently running containers failed. error=error trying to connect: Permission denied (os error 13)

What is the new behavior?

When executing supabase start using rootless podman with SELinux enabled, the development environment starts correctly.

Additional context

2025-02-15T15:52:11.439435Z  INFO vector::topology::running: Running healthchecks.
2025-02-15T15:52:11.439488Z  INFO vector::topology::builder: Healthcheck passed.
2025-02-15T15:52:11.439510Z  INFO vector::topology::builder: Healthcheck passed.
2025-02-15T15:52:11.439519Z  INFO vector::topology::builder: Healthcheck passed.
2025-02-15T15:52:11.439524Z  INFO vector::topology::builder: Healthcheck passed.
2025-02-15T15:52:11.439528Z  INFO vector::topology::builder: Healthcheck passed.
2025-02-15T15:52:11.439536Z  INFO vector::topology::builder: Healthcheck passed.
2025-02-15T15:52:11.439540Z  INFO vector::topology::builder: Healthcheck passed.
2025-02-15T15:52:11.439732Z  INFO vector: Vector has started. debug="false" version="0.28.1" arch="x86_64" revision="ff15924 2023-03-06"
2025-02-15T15:52:11.439823Z ERROR source{component_kind="source" component_id=docker_host component_type=docker_logs component_name=docker_host}: vector::sources::docker_logs: Listing currently running containers failed. error=error trying to connect: Permission denied (os error 13)
2025-02-15T15:52:11.445682Z  INFO vector::internal_events::api: API server running. address=0.0.0.0:9001 playground=http://0.0.0.0:9001/playground
2025-02-15T15:52:11.445706Z  INFO vector::app: All sources have finished.
2025-02-15T15:52:11.445708Z  INFO vector: Vector has stopped.
2025-02-15T15:52:11.446959Z  INFO vector::topology::running: Shutting down... Waiting on running components. remaining_components="logflare_rest, logflare_db, logflare_kong, logflare_realtime, logflare_auth, logflare_functions, logflare_storage" time_remaining="59 seconds left"
Stopping containers...
supabase_vector_service-playground container is not ready: starting
Try rerunning the command with --debug to troubleshoot the error.

[coveralls]

Pull Request Test Coverage Report for Build 13364385539

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

• For more information on this, see Tracking coverage changes with pull request builds.
• To avoid this issue with future PRs, see these Recommended CI Configurations.
• For a quick fix, rebase this PR at GitHub. Your next report should be accurate.

Details

• 2 of 3 (66.67%) changed or added relevant lines in 1 file are covered.
• 8 unchanged lines in 2 files lost coverage.
• Overall coverage decreased (-0.05%) to 58.551%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
internal/start/start.go	2	3	66.67%

Files with Coverage Reduction	New Missed Lines	%
internal/debug/postgres.go	3	64.86%
internal/gen/keys/keys.go	5	12.9%

Totals
Change from base Build 13336018446:	-0.05%
Covered Lines:	7809
Relevant Lines:	13337

---

💛 - Coveralls