test container: Add DAC_READ_SEARCH capability

SSSD 2.10+ runs under non-privileged user 'sssd' and relies on system capabilities to get access to certain resources like /etc/krb5.keytab. Not having these capabilities result in SSSD not starting. Podman has reduced the capabilities granted to containers, and to be able to start SSSD it is needed to add DAC_READ_SEARCH back. This patch adds file infra/images/shdefaults to store the defaults used by ansible-freeipa shell utilities in a contral location. See: https://github.com/containers/podman/discussions/24904#discussioncomment-11718823 Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>

test container: Add DAC_READ_SEARCH capability
2d3da2d7 · Rafael Guterres Jeffman · f04c90f4 · 2d3da2d7 · 2d3da2d7
Commit 2d3da2d7 authored 2 months ago by Rafael Guterres Jeffman
--- a/infra/image/shcontainer
+++ b/infra/image/shcontainer
@@ -4,13 +4,18 @@
 SCRIPTDIR="$(dirname -- "$(readlink -f "${BASH_SOURCE[0]}")")"
 TOPDIR="$(readlink -f "${SCRIPTDIR}/../..")"
+. "${SCRIPTDIR}/shdefaults"
+# shellcheck disable=SC1091
 . "${TOPDIR}/utils/shfun"
 container_create() {
    local name=${1}
    local image=${2}
    shift 2
-    declare -a extra_opts=()
+    declare -a extra_opts
+    readarray -t extra_opts < \
+        <(sed -e "s/-/--cap-drop=/g" -e "s/+/--cap-add=/g" <<< "${CAP_DEFAULTS[@]}")
    for opt in "$@"
    do
        [ -z "${opt}" ] && continue

--- a/infra/image/shdefaults
+++ b/infra/image/shdefaults
+#!/bin/bash -eu
+# This file is meant to be source'd by other scripts
+# Set default capabilities options for freeipa containers.
+# Use +CAP to add the capability and -CAP to drop the capability.
+CAP_DEFAULTS=(
+    "+DAC_READ_SEARCH"  # Required for SSSD
+)