From 2d3da2d72c4244af09f33da33c3fb26779de4951 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Fri, 11 Apr 2025 10:23:41 -0300
Subject: [PATCH] test container: Add DAC_READ_SEARCH capability

SSSD 2.10+ runs under non-privileged user 'sssd' and relies on system
capabilities to get access to certain resources like /etc/krb5.keytab.
Not having these capabilities result in SSSD not starting.

Podman has reduced the capabilities granted to containers, and to be
able to start SSSD it is needed to add DAC_READ_SEARCH back.

This patch adds file infra/images/shdefaults to store the defaults used
by ansible-freeipa shell utilities in a contral location.

See:  https://github.com/containers/podman/discussions/24904#discussioncomment-11718823

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
---
 infra/image/shcontainer | 7 ++++++-
 infra/image/shdefaults  | 8 ++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 infra/image/shdefaults

diff --git a/infra/image/shcontainer b/infra/image/shcontainer
index 71b086d5..4d934a0b 100644
--- a/infra/image/shcontainer
+++ b/infra/image/shcontainer
@@ -4,13 +4,18 @@
 SCRIPTDIR="$(dirname -- "$(readlink -f "${BASH_SOURCE[0]}")")"
 TOPDIR="$(readlink -f "${SCRIPTDIR}/../..")"
 
+. "${SCRIPTDIR}/shdefaults"
+
+# shellcheck disable=SC1091
 . "${TOPDIR}/utils/shfun"
 
 container_create() {
     local name=${1}
     local image=${2}
     shift 2
-    declare -a extra_opts=()
+    declare -a extra_opts
+    readarray -t extra_opts < \
+        <(sed -e "s/-/--cap-drop=/g" -e "s/+/--cap-add=/g" <<< "${CAP_DEFAULTS[@]}")
     for opt in "$@"
     do
         [ -z "${opt}" ] && continue
diff --git a/infra/image/shdefaults b/infra/image/shdefaults
new file mode 100644
index 00000000..86c50ab4
--- /dev/null
+++ b/infra/image/shdefaults
@@ -0,0 +1,8 @@
+#!/bin/bash -eu
+# This file is meant to be source'd by other scripts
+
+# Set default capabilities options for freeipa containers.
+# Use +CAP to add the capability and -CAP to drop the capability.
+CAP_DEFAULTS=(
+    "+DAC_READ_SEARCH"  # Required for SSSD
+)
-- 
GitLab