add configurable --cap-add for podman-remote build

* STONEBLD-1268 Signed-off-by: Robert Cerven <rcerven@redhat.com>
containerbuildsystem · May 26, 2023 · 434c76e · 434c76e
1 parent dc647a4
commit 434c76e
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 3 deletions.
diff --git a/atomic_reactor/schemas/config.json b/atomic_reactor/schemas/config.json
@@ -97,6 +97,14 @@
                 "type": "string",
                 "examples": ["1g", "10m"]
             },
+            "podman_capabilities": {
+                "description": "Use additional podman capabilities",
+                "type": ["array", "null"],
+                "items": {
+                  "type": "string"
+                },
+                "examples": [null, ["CAP_SYS_CHROOT", "CAP_AUDIT_WRITE", "CAP_MKNOD"]]
+            },
             "pools": {
                 "description": "Pool of Remote-hosts",
                 "type": "object",

diff --git a/atomic_reactor/tasks/binary_container_build.py b/atomic_reactor/tasks/binary_container_build.py
@@ -113,6 +113,7 @@ def execute(self) -> Any:
                 dest_tag=dest_tag,
                 flatpak=flatpak,
                 memory_limit=config.remote_hosts.get("memory_limit"),
+                podman_capabilities=config.remote_hosts.get("podman_capabilities")
             )
             for line in output_lines:
                 logger.info(line.rstrip())
@@ -228,6 +229,7 @@ def build_container(
         dest_tag: ImageName,
         flatpak: bool,
         memory_limit: Optional[str],
+        podman_capabilities: Optional[List[str]],
     ) -> Iterator[Optional[str]]:
         """Build a container image from the specified build directory.
 
@@ -249,6 +251,10 @@ def build_container(
             # memory limit (format: <number>[<unit>], where unit = b, k, m or g)
             options.append(f"--memory={memory_limit}")
 
+        if podman_capabilities:
+            for capability in podman_capabilities:
+                options.append(f"--cap-add={capability}")
+
         if flatpak:
             options.append("--squash-all")
             for device in ['null', 'random', 'urandom', 'zero']:

diff --git a/tests/tasks/test_binary_container_build.py b/tests/tasks/test_binary_container_build.py
@@ -79,9 +79,11 @@
                                                  prid=PIPELINE_RUN_NAME)
 
 MEMORY_LIMIT = "4g"
+PODMAN_CAPABILITIES = ["CAP_SYS_CHROOT", "CAP_MKNOD"]
 REMOTE_HOST_CONFIG = {
     "slots_dir": X86_REMOTE_HOST.slots_dir,
     "memory_limit": MEMORY_LIMIT,
+    "podman_capabilities": PODMAN_CAPABILITIES,
     "pools": {
         "x86_64": {
             X86_REMOTE_HOST.hostname: {
@@ -259,13 +261,15 @@ def test_run_build(
             mock_config(REGISTRY_CONFIG, REMOTE_HOST_CONFIG, image_size_limit=1234)
         x86_build_dir.dockerfile_path.write_text(DOCKERFILE_CONTENT)
 
-        def mock_build_container(*, build_dir, build_args, dest_tag, flatpak, memory_limit):
+        def mock_build_container(*, build_dir, build_args, dest_tag, flatpak, memory_limit,
+                                 podman_capabilities):
             assert build_dir.path == x86_build_dir.path
             assert build_dir.platform == "x86_64"
             assert build_args == BUILD_ARGS
             assert dest_tag == X86_UNIQUE_IMAGE
             assert flatpak == is_flatpak
             assert memory_limit == MEMORY_LIMIT
+            assert podman_capabilities == PODMAN_CAPABILITIES
 
             yield from ["output line 1\n", "output line 2\n"]
 
@@ -462,14 +466,19 @@ def test_setup_for_fails(self):
     @pytest.mark.parametrize("authfile", [None, AUTHFILE_PATH])
     @pytest.mark.parametrize('is_flatpak', (True, False))
     @pytest.mark.parametrize('memory_limit', ('1g', None))
-    def test_build_container(self, authfile, is_flatpak, x86_build_dir, memory_limit):
+    @pytest.mark.parametrize('podman_capabilities', (PODMAN_CAPABILITIES, None))
+    def test_build_container(self, authfile, is_flatpak, x86_build_dir, memory_limit,
+                             podman_capabilities):
         options = [
             f"--tag={X86_UNIQUE_IMAGE}",
             "--no-cache",
             "--pull-always",
         ]
         if memory_limit:
             options.append(f"--memory={memory_limit}")
+        if podman_capabilities:
+            for capability in podman_capabilities:
+                options.append(f"--cap-add={capability}")
         if is_flatpak:
             options.append("--squash-all")
             for device in ['null', 'random', 'urandom', 'zero']:
@@ -497,7 +506,8 @@ def test_build_container(self, authfile, is_flatpak, x86_build_dir, memory_limit
             build_args=BUILD_ARGS,
             dest_tag=X86_UNIQUE_IMAGE,
             flatpak=is_flatpak,
-            memory_limit=memory_limit
+            memory_limit=memory_limit,
+            podman_capabilities=podman_capabilities
         )
 
         assert list(output_lines) == ["starting the build\n", "finished successfully\n"]
@@ -524,6 +534,7 @@ def test_build_container_fails(
             dest_tag=X86_UNIQUE_IMAGE,
             flatpak=False,
             memory_limit="1g",
+            podman_capabilities=PODMAN_CAPABILITIES
         )
 
         for expect_line in expected_lines: