From 6d1098f8234f6128247a7101fd759658cf06cd18 Mon Sep 17 00:00:00 2001 From: Jonas Berlin Date: Sat, 4 May 2024 11:05:08 +0300 Subject: [PATCH] Quadlet/Container: Add GroupAdd option Co-authored-by: Ygal Blum Signed-off-by: Jonas Berlin --- docs/source/markdown/podman-systemd.unit.5.md | 6 ++++++ pkg/systemd/quadlet/quadlet.go | 9 +++++++++ test/e2e/quadlet/group-add.container | 7 +++++++ test/e2e/quadlet_test.go | 1 + 4 files changed, 23 insertions(+) create mode 100644 test/e2e/quadlet/group-add.container diff --git a/docs/source/markdown/podman-systemd.unit.5.md b/docs/source/markdown/podman-systemd.unit.5.md index 9be6d06dfb..af5dabd196 100644 --- a/docs/source/markdown/podman-systemd.unit.5.md +++ b/docs/source/markdown/podman-systemd.unit.5.md @@ -248,6 +248,7 @@ Valid options for `[Container]` are listed below: | GIDMap=0:10000:10 | --gidmap=0:10000:10 | | GlobalArgs=--log-level=debug | --log-level=debug | | Group=1234 | --user UID:1234 | +| GroupAdd=keep-groups | --group-add=keep-groups | | HealthCmd=/usr/bin/command | --health-cmd=/usr/bin/command | | HealthInterval=2m | --health-interval=2m | | HealthOnFailure=kill | --health-on-failure=kill | @@ -440,6 +441,11 @@ This key can be listed multiple times. The (numeric) GID to run as inside the container. This does not need to match the GID on the host, which can be modified with `UsersNS`, but if that is not specified, this GID is also used on the host. +### `GroupAdd=` + +Assign additional groups to the primary user running within the container process. Also supports the `keep-groups` special flag. +Equivalent to the Podman `--group-add` option. + ### `HealthCmd=` Set or alter a healthcheck command for a container. A value of none disables existing healthchecks. diff --git a/pkg/systemd/quadlet/quadlet.go b/pkg/systemd/quadlet/quadlet.go index 8f27e0235e..b32cee8671 100644 --- a/pkg/systemd/quadlet/quadlet.go +++ b/pkg/systemd/quadlet/quadlet.go @@ -82,6 +82,7 @@ const ( KeyGIDMap = "GIDMap" KeyGlobalArgs = "GlobalArgs" KeyGroup = "Group" + KeyGroupAdd = "GroupAdd" KeyHealthCmd = "HealthCmd" KeyHealthInterval = "HealthInterval" KeyHealthOnFailure = "HealthOnFailure" @@ -187,6 +188,7 @@ var ( KeyGIDMap: true, KeyGlobalArgs: true, KeyGroup: true, + KeyGroupAdd: true, KeyHealthCmd: true, KeyHealthInterval: true, KeyHealthOnFailure: true, @@ -672,6 +674,13 @@ func ConvertContainer(container *parser.UnitFile, names map[string]string, isUse return nil, err } + groupsAdd := container.LookupAll(ContainerGroup, KeyGroupAdd) + for _, groupAdd := range groupsAdd { + if len(groupAdd) > 0 { + podman.addf("--group-add=%s", groupAdd) + } + } + tmpfsValues := container.LookupAll(ContainerGroup, KeyTmpfs) for _, tmpfs := range tmpfsValues { if strings.Count(tmpfs, ":") > 1 { diff --git a/test/e2e/quadlet/group-add.container b/test/e2e/quadlet/group-add.container new file mode 100644 index 0000000000..99800604cf --- /dev/null +++ b/test/e2e/quadlet/group-add.container @@ -0,0 +1,7 @@ +## assert-podman-args "--group-add=keep-groups" +## assert-podman-args "--group-add=users" + +[Container] +Image=localhost/imagename +GroupAdd=keep-groups +GroupAdd=users diff --git a/test/e2e/quadlet_test.go b/test/e2e/quadlet_test.go index 92c21cbd0b..14b79e5130 100644 --- a/test/e2e/quadlet_test.go +++ b/test/e2e/quadlet_test.go @@ -783,6 +783,7 @@ BOGUS=foo Entry("entrypoint.container", "entrypoint.container", 0, ""), Entry("escapes.container", "escapes.container", 0, ""), Entry("exec.container", "exec.container", 0, ""), + Entry("group-add.container", "group-add.container", 0, ""), Entry("health.container", "health.container", 0, ""), Entry("hostname.container", "hostname.container", 0, ""), Entry("idmapping.container", "idmapping.container", 0, ""),