From 434c76e978b56309590314d04bbcb3df70782105 Mon Sep 17 00:00:00 2001
From: Robert Cerven <rcerven@redhat.com>
Date: Mon, 22 May 2023 21:48:52 +0200
Subject: [PATCH] add configurable --cap-add for podman-remote build

* STONEBLD-1268

Signed-off-by: Robert Cerven <rcerven@redhat.com>
---
 atomic_reactor/schemas/config.json             |  8 ++++++++
 atomic_reactor/tasks/binary_container_build.py |  6 ++++++
 tests/tasks/test_binary_container_build.py     | 17 ++++++++++++++---
 3 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/atomic_reactor/schemas/config.json b/atomic_reactor/schemas/config.json
index 65d7feab1..51e22012c 100644
--- a/atomic_reactor/schemas/config.json
+++ b/atomic_reactor/schemas/config.json
@@ -97,6 +97,14 @@
                 "type": "string",
                 "examples": ["1g", "10m"]
             },
+            "podman_capabilities": {
+                "description": "Use additional podman capabilities",
+                "type": ["array", "null"],
+                "items": {
+                  "type": "string"
+                },
+                "examples": [null, ["CAP_SYS_CHROOT", "CAP_AUDIT_WRITE", "CAP_MKNOD"]]
+            },
             "pools": {
                 "description": "Pool of Remote-hosts",
                 "type": "object",
diff --git a/atomic_reactor/tasks/binary_container_build.py b/atomic_reactor/tasks/binary_container_build.py
index 44858ddd5..b623fb833 100644
--- a/atomic_reactor/tasks/binary_container_build.py
+++ b/atomic_reactor/tasks/binary_container_build.py
@@ -113,6 +113,7 @@ def execute(self) -> Any:
                 dest_tag=dest_tag,
                 flatpak=flatpak,
                 memory_limit=config.remote_hosts.get("memory_limit"),
+                podman_capabilities=config.remote_hosts.get("podman_capabilities")
             )
             for line in output_lines:
                 logger.info(line.rstrip())
@@ -228,6 +229,7 @@ def build_container(
         dest_tag: ImageName,
         flatpak: bool,
         memory_limit: Optional[str],
+        podman_capabilities: Optional[List[str]],
     ) -> Iterator[Optional[str]]:
         """Build a container image from the specified build directory.
 
@@ -249,6 +251,10 @@ def build_container(
             # memory limit (format: <number>[<unit>], where unit = b, k, m or g)
             options.append(f"--memory={memory_limit}")
 
+        if podman_capabilities:
+            for capability in podman_capabilities:
+                options.append(f"--cap-add={capability}")
+
         if flatpak:
             options.append("--squash-all")
             for device in ['null', 'random', 'urandom', 'zero']:
diff --git a/tests/tasks/test_binary_container_build.py b/tests/tasks/test_binary_container_build.py
index bba12af12..9f64857a6 100644
--- a/tests/tasks/test_binary_container_build.py
+++ b/tests/tasks/test_binary_container_build.py
@@ -79,9 +79,11 @@
                                                  prid=PIPELINE_RUN_NAME)
 
 MEMORY_LIMIT = "4g"
+PODMAN_CAPABILITIES = ["CAP_SYS_CHROOT", "CAP_MKNOD"]
 REMOTE_HOST_CONFIG = {
     "slots_dir": X86_REMOTE_HOST.slots_dir,
     "memory_limit": MEMORY_LIMIT,
+    "podman_capabilities": PODMAN_CAPABILITIES,
     "pools": {
         "x86_64": {
             X86_REMOTE_HOST.hostname: {
@@ -259,13 +261,15 @@ def test_run_build(
             mock_config(REGISTRY_CONFIG, REMOTE_HOST_CONFIG, image_size_limit=1234)
         x86_build_dir.dockerfile_path.write_text(DOCKERFILE_CONTENT)
 
-        def mock_build_container(*, build_dir, build_args, dest_tag, flatpak, memory_limit):
+        def mock_build_container(*, build_dir, build_args, dest_tag, flatpak, memory_limit,
+                                 podman_capabilities):
             assert build_dir.path == x86_build_dir.path
             assert build_dir.platform == "x86_64"
             assert build_args == BUILD_ARGS
             assert dest_tag == X86_UNIQUE_IMAGE
             assert flatpak == is_flatpak
             assert memory_limit == MEMORY_LIMIT
+            assert podman_capabilities == PODMAN_CAPABILITIES
 
             yield from ["output line 1\n", "output line 2\n"]
 
@@ -462,7 +466,9 @@ def test_setup_for_fails(self):
     @pytest.mark.parametrize("authfile", [None, AUTHFILE_PATH])
     @pytest.mark.parametrize('is_flatpak', (True, False))
     @pytest.mark.parametrize('memory_limit', ('1g', None))
-    def test_build_container(self, authfile, is_flatpak, x86_build_dir, memory_limit):
+    @pytest.mark.parametrize('podman_capabilities', (PODMAN_CAPABILITIES, None))
+    def test_build_container(self, authfile, is_flatpak, x86_build_dir, memory_limit,
+                             podman_capabilities):
         options = [
             f"--tag={X86_UNIQUE_IMAGE}",
             "--no-cache",
@@ -470,6 +476,9 @@ def test_build_container(self, authfile, is_flatpak, x86_build_dir, memory_limit
         ]
         if memory_limit:
             options.append(f"--memory={memory_limit}")
+        if podman_capabilities:
+            for capability in podman_capabilities:
+                options.append(f"--cap-add={capability}")
         if is_flatpak:
             options.append("--squash-all")
             for device in ['null', 'random', 'urandom', 'zero']:
@@ -497,7 +506,8 @@ def test_build_container(self, authfile, is_flatpak, x86_build_dir, memory_limit
             build_args=BUILD_ARGS,
             dest_tag=X86_UNIQUE_IMAGE,
             flatpak=is_flatpak,
-            memory_limit=memory_limit
+            memory_limit=memory_limit,
+            podman_capabilities=podman_capabilities
         )
 
         assert list(output_lines) == ["starting the build\n", "finished successfully\n"]
@@ -524,6 +534,7 @@ def test_build_container_fails(
             dest_tag=X86_UNIQUE_IMAGE,
             flatpak=False,
             memory_limit="1g",
+            podman_capabilities=PODMAN_CAPABILITIES
         )
 
         for expect_line in expected_lines: