Merge pull request #22601 from xkr47/feat/quadlet-group-add

Quadlet/Container: Add GroupAdd option
containers · May 9, 2024 · 63ab927 · 63ab927 · packit-as-a-service · May 9, 2024
2 parents 1ee9014 + 6d1098f
commit 63ab927
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 0 deletions.
diff --git a/docs/source/markdown/podman-systemd.unit.5.md b/docs/source/markdown/podman-systemd.unit.5.md
@@ -248,6 +248,7 @@ Valid options for `[Container]` are listed below:
 | GIDMap=0:10000:10                    | --gidmap=0:10000:10                                  |
 | GlobalArgs=--log-level=debug         | --log-level=debug                                    |
 | Group=1234                           | --user UID:1234                                      |
+| GroupAdd=keep-groups                 | --group-add=keep-groups                              |
 | HealthCmd=/usr/bin/command           | --health-cmd=/usr/bin/command                        |
 | HealthInterval=2m                    | --health-interval=2m                                 |
 | HealthOnFailure=kill                 | --health-on-failure=kill                             |
@@ -440,6 +441,11 @@ This key can be listed multiple times.
 The (numeric) GID to run as inside the container. This does not need to match the GID on the host,
 which can be modified with `UsersNS`, but if that is not specified, this GID is also used on the host.
 
+### `GroupAdd=`
+
+Assign additional groups to the primary user running within the container process. Also supports the `keep-groups` special flag.
+Equivalent to the Podman `--group-add` option.
+
 ### `HealthCmd=`
 
 Set or alter a healthcheck command for a container. A value of none disables existing healthchecks.

diff --git a/pkg/systemd/quadlet/quadlet.go b/pkg/systemd/quadlet/quadlet.go
@@ -82,6 +82,7 @@ const (
 	KeyGIDMap                = "GIDMap"
 	KeyGlobalArgs            = "GlobalArgs"
 	KeyGroup                 = "Group"
+	KeyGroupAdd              = "GroupAdd"
 	KeyHealthCmd             = "HealthCmd"
 	KeyHealthInterval        = "HealthInterval"
 	KeyHealthOnFailure       = "HealthOnFailure"
@@ -187,6 +188,7 @@ var (
 		KeyGIDMap:                true,
 		KeyGlobalArgs:            true,
 		KeyGroup:                 true,
+		KeyGroupAdd:              true,
 		KeyHealthCmd:             true,
 		KeyHealthInterval:        true,
 		KeyHealthOnFailure:       true,
@@ -672,6 +674,13 @@ func ConvertContainer(container *parser.UnitFile, names map[string]string, isUse
 		return nil, err
 	}
 
+	groupsAdd := container.LookupAll(ContainerGroup, KeyGroupAdd)
+	for _, groupAdd := range groupsAdd {
+		if len(groupAdd) > 0 {
+			podman.addf("--group-add=%s", groupAdd)
+		}
+	}
+
 	tmpfsValues := container.LookupAll(ContainerGroup, KeyTmpfs)
 	for _, tmpfs := range tmpfsValues {
 		if strings.Count(tmpfs, ":") > 1 {

diff --git a/test/e2e/quadlet/group-add.container b/test/e2e/quadlet/group-add.container
@@ -0,0 +1,7 @@
+## assert-podman-args "--group-add=keep-groups"
+## assert-podman-args "--group-add=users"
+
+[Container]
+Image=localhost/imagename
+GroupAdd=keep-groups
+GroupAdd=users
diff --git a/test/e2e/quadlet_test.go b/test/e2e/quadlet_test.go
@@ -783,6 +783,7 @@ BOGUS=foo
 		Entry("entrypoint.container", "entrypoint.container", 0, ""),
 		Entry("escapes.container", "escapes.container", 0, ""),
 		Entry("exec.container", "exec.container", 0, ""),
+		Entry("group-add.container", "group-add.container", 0, ""),
 		Entry("health.container", "health.container", 0, ""),
 		Entry("hostname.container", "hostname.container", 0, ""),
 		Entry("idmapping.container", "idmapping.container", 0, ""),