Merge pull request #1352 from freeipa/fix_sssd_on_test_container

test container: Add DAC_READ_SEARCH capability

Merge pull request #1352 from freeipa/fix_sssd_on_test_container
d1857c18 · Thomas Woerner · GitHub · edbdd3af · 2d3da2d7 · d1857c18
Unverified Commit d1857c18 authored 2 months ago by Thomas Woerner Committed by GitHub 2 months ago
--- a/infra/image/shcontainer
+++ b/infra/image/shcontainer
@@ -4,13 +4,18 @@
 SCRIPTDIR="$(dirname -- "$(readlink -f "${BASH_SOURCE[0]}")")"
 TOPDIR="$(readlink -f "${SCRIPTDIR}/../..")"
+. "${SCRIPTDIR}/shdefaults"
+# shellcheck disable=SC1091
 . "${TOPDIR}/utils/shfun"
 container_create() {
    local name=${1}
    local image=${2}
    shift 2
-    declare -a extra_opts=()
+    declare -a extra_opts
+    readarray -t extra_opts < \
+        <(sed -e "s/-/--cap-drop=/g" -e "s/+/--cap-add=/g" <<< "${CAP_DEFAULTS[@]}")
    for opt in "$@"
    do
        [ -z "${opt}" ] && continue

--- a/infra/image/shdefaults
+++ b/infra/image/shdefaults
+#!/bin/bash -eu
+# This file is meant to be source'd by other scripts
+# Set default capabilities options for freeipa containers.
+# Use +CAP to add the capability and -CAP to drop the capability.
+CAP_DEFAULTS=(
+    "+DAC_READ_SEARCH"  # Required for SSSD
+)