From a633bdd2ed65971b2f137d5f985f8f3d85b9acfc Mon Sep 17 00:00:00 2001
From: Viacheslav <v.gletenko@vyos.io>
Date: Fri, 15 Oct 2021 18:18:39 +0000
Subject: containers: T3676: Allow to set capabilities

---
 interface-definitions/containers.xml.in | 24 ++++++++++++++++++++++++
 src/conf_mode/containers.py             | 10 +++++++++-
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/interface-definitions/containers.xml.in b/interface-definitions/containers.xml.in
index fb8241d71..24d1870af 100644
--- a/interface-definitions/containers.xml.in
+++ b/interface-definitions/containers.xml.in
@@ -21,6 +21,30 @@
               <valueless/>
             </properties>
           </leafNode>
+          <leafNode name="cap-add">
+            <properties>
+              <help>Add capabilities</help>
+              <completionHelp>
+                <list>net-admin setpcap sys-time</list>
+              </completionHelp>
+              <valueHelp>
+                <format>net-admin</format>
+                <description>Net-admin option</description>
+              </valueHelp>
+              <valueHelp>
+                <format>setpcap</format>
+                <description>Setpcap option</description>
+              </valueHelp>
+              <valueHelp>
+                <format>sys-time</format>
+                <description>Sys-time option</description>
+              </valueHelp>
+              <constraint>
+                <regex>^(net-admin|setpcap|sys-time)$</regex>
+              </constraint>
+              <multi/>
+            </properties>
+          </leafNode>
           #include <include/generic-description.xml.i>
           #include <include/generic-disable-node.xml.i>
           <tagNode name="environment">
diff --git a/src/conf_mode/containers.py b/src/conf_mode/containers.py
index 1e0197a13..cc34f9d39 100755
--- a/src/conf_mode/containers.py
+++ b/src/conf_mode/containers.py
@@ -271,6 +271,14 @@ def apply(container):
             tmp = run(f'podman image exists {image}')
             if tmp != 0: print(os.system(f'podman pull {image}'))
 
+            # Add capability options. Should be in uppercase
+            cap_add = ''
+            if 'cap_add' in container_config:
+                for c in container_config['cap_add']:
+                    c = c.upper()
+                    c = c.replace('-', '_')
+                    cap_add += f' --cap-add={c}'
+
             # Check/set environment options "-e foo=bar"
             env_opt = ''
             if 'environment' in container_config:
@@ -299,7 +307,7 @@ def apply(container):
                     dvol = vol_config['destination']
                     volume += f' -v {svol}:{dvol}'
 
-            container_base_cmd = f'podman run --detach --interactive --tty --replace ' \
+            container_base_cmd = f'podman run --detach --interactive --tty --replace {cap_add} ' \
                                  f'--memory {memory}m --memory-swap 0 --restart {restart} ' \
                                  f'--name {name} {port} {volume} {env_opt}'
             if 'allow_host_networks' in container_config:
-- 
cgit v1.2.3