From 2d3da2d72c4244af09f33da33c3fb26779de4951 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman <rjeffman@redhat.com> Date: Fri, 11 Apr 2025 10:23:41 -0300 Subject: [PATCH] test container: Add DAC_READ_SEARCH capability SSSD 2.10+ runs under non-privileged user 'sssd' and relies on system capabilities to get access to certain resources like /etc/krb5.keytab. Not having these capabilities result in SSSD not starting. Podman has reduced the capabilities granted to containers, and to be able to start SSSD it is needed to add DAC_READ_SEARCH back. This patch adds file infra/images/shdefaults to store the defaults used by ansible-freeipa shell utilities in a contral location. See: https://github.com/containers/podman/discussions/24904#discussioncomment-11718823 Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com> --- infra/image/shcontainer | 7 ++++++- infra/image/shdefaults | 8 ++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 infra/image/shdefaults diff --git a/infra/image/shcontainer b/infra/image/shcontainer index 71b086d5..4d934a0b 100644 --- a/infra/image/shcontainer +++ b/infra/image/shcontainer @@ -4,13 +4,18 @@ SCRIPTDIR="$(dirname -- "$(readlink -f "${BASH_SOURCE[0]}")")" TOPDIR="$(readlink -f "${SCRIPTDIR}/../..")" +. "${SCRIPTDIR}/shdefaults" + +# shellcheck disable=SC1091 . "${TOPDIR}/utils/shfun" container_create() { local name=${1} local image=${2} shift 2 - declare -a extra_opts=() + declare -a extra_opts + readarray -t extra_opts < \ + <(sed -e "s/-/--cap-drop=/g" -e "s/+/--cap-add=/g" <<< "${CAP_DEFAULTS[@]}") for opt in "$@" do [ -z "${opt}" ] && continue diff --git a/infra/image/shdefaults b/infra/image/shdefaults new file mode 100644 index 00000000..86c50ab4 --- /dev/null +++ b/infra/image/shdefaults @@ -0,0 +1,8 @@ +#!/bin/bash -eu +# This file is meant to be source'd by other scripts + +# Set default capabilities options for freeipa containers. +# Use +CAP to add the capability and -CAP to drop the capability. +CAP_DEFAULTS=( + "+DAC_READ_SEARCH" # Required for SSSD +) -- GitLab