Skip to content
Snippets Groups Projects
Commit 4c3f4e6f authored by Thomas Woerner's avatar Thomas Woerner
Browse files

infra/image: Use SYS_ADMIN capability for server deployment

This adds the capabilities SYS_ADMIN and SYSLOG to the container_create
call in build.sh as long as server deployment has been enabled.

The privileged option has been removed as it is no longer needed.

The hostnamectl-wrapper for the container has been removed as it is no
longer needed.
parent 489f4d57
No related branches found
No related tags found
No related merge requests found
...@@ -23,7 +23,7 @@ jobs: ...@@ -23,7 +23,7 @@ jobs:
- script: ansible-galaxy collection install containers.podman - script: ansible-galaxy collection install containers.podman
displayName: Install Ansible Galaxy collections displayName: Install Ansible Galaxy collections
- script: infra/image/build.sh -p -s ${{ parameters.distro }} - script: infra/image/build.sh -s ${{ parameters.distro }}
displayName: Build ${{ parameters.distro }} base image displayName: Build ${{ parameters.distro }} base image
env: env:
ANSIBLE_ROLES_PATH: "${PWD}/roles" ANSIBLE_ROLES_PATH: "${PWD}/roles"
......
...@@ -15,7 +15,7 @@ valid_distro() { ...@@ -15,7 +15,7 @@ valid_distro() {
usage() { usage() {
local prog="${0##*/}" local prog="${0##*/}"
cat << EOF cat << EOF
usage: ${prog} [-h] [-p] [-n HOSTNAME] [-s] distro usage: ${prog} [-h] [-n HOSTNAME] [-s] distro
${prog} build a container image to test ansible-freeipa. ${prog} build a container image to test ansible-freeipa.
EOF EOF
} }
...@@ -41,14 +41,14 @@ cpus="2" ...@@ -41,14 +41,14 @@ cpus="2"
memory="3g" memory="3g"
quayname="quay.io/ansible-freeipa/upstream-tests" quayname="quay.io/ansible-freeipa/upstream-tests"
deploy_server="N" deploy_server="N"
privileged="" deploy_capabilities="SYS_ADMIN,SYSLOG"
capabilities=""
while getopts ":hn:ps" option while getopts ":hn:s" option
do do
case "${option}" in case "${option}" in
h) help && exit 0 ;; h) help && exit 0 ;;
n) hostname="${OPTARG}" ;; n) hostname="${OPTARG}" ;;
p) privileged="privileged" ;;
s) deploy_server="Y" ;; s) deploy_server="Y" ;;
*) die -u "Invalid option: ${option}" ;; *) die -u "Invalid option: ${option}" ;;
esac esac
...@@ -66,6 +66,8 @@ container_check ...@@ -66,6 +66,8 @@ container_check
if [ "${deploy_server}" == "Y" ] if [ "${deploy_server}" == "Y" ]
then then
capabilities="${deploy_capabilities}"
[ -n "$(command -v "ansible-playbook")" ] || die "ansible-playbook is required to install FreeIPA." [ -n "$(command -v "ansible-playbook")" ] || die "ansible-playbook is required to install FreeIPA."
deploy_playbook="${TOPDIR}/playbooks/install-server.yml" deploy_playbook="${TOPDIR}/playbooks/install-server.yml"
...@@ -89,7 +91,7 @@ container_create "${name}" "${tag}" \ ...@@ -89,7 +91,7 @@ container_create "${name}" "${tag}" \
"hostname=${hostname}" \ "hostname=${hostname}" \
"memory=${memory}" \ "memory=${memory}" \
"cpus=${cpus}" \ "cpus=${cpus}" \
"${privileged}" "${capabilities:+capabilities=$capabilities}"
container_commit "${name}" "${quayname}:${tag}" container_commit "${name}" "${quayname}:${tag}"
if [ "${deploy_server}" == "Y" ] if [ "${deploy_server}" == "Y" ]
......
...@@ -13,12 +13,6 @@ dnf --assumeyes install \ ...@@ -13,12 +13,6 @@ dnf --assumeyes install \
hostname; \ hostname; \
rm -rf /var/cache/dnf/; rm -rf /var/cache/dnf/;
# Prepare for basic ipa-server-install in container
# Address failing nis-domainname.service in the ipa-client-install step
RUN mv /usr/bin/nisdomainname /usr/bin/nisdomainname.orig
ADD utils/hostnamectl-wrapper /usr/bin/nisdomainname
RUN chmod a+rx /usr/bin/nisdomainname
RUN (cd /lib/systemd/system/; \ RUN (cd /lib/systemd/system/; \
if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \ if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
ln -s dbus-broker.service dbus.service; \ ln -s dbus-broker.service dbus.service; \
......
...@@ -18,7 +18,7 @@ container_create() { ...@@ -18,7 +18,7 @@ container_create() {
hostname=*) extra_opts+=("--${opt}") ;; hostname=*) extra_opts+=("--${opt}") ;;
cpus=*) extra_opts+=("--${opt}") ;; cpus=*) extra_opts+=("--${opt}") ;;
memory=*) extra_opts+=("--${opt}") ;; memory=*) extra_opts+=("--${opt}") ;;
privileged) extra_opts+=("--${opt}") ;; capabilities=*) extra_opts+=("--cap-add=${opt##*=}") ;;
*) log error "container_create: Invalid option: ${opt}" ;; *) log error "container_create: Invalid option: ${opt}" ;;
esac esac
done done
......
#!/bin/bash -eu
if setpriv --dump | grep -q sys_admin ; then
if [[ "$( basename $0 )" =~ "domainname" ]] ; then
/usr/bin/hostname -y "$@"
else
$0.orig "$@"
fi
else
echo "Skipping invocation of $0 $@ in unprivileged container." >&2
exit
fi
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment