container: T6208: rename "cap-add" CLI node to "capability"

Containers have the ability to add Linux system capabilities to them, this is
done using the "set container name <name> cap-add" command.

The CLI node sounds off and rather should be "set container name <name>
capability" instead as we use and pass a capability to a container and not
add/invent new ones.

6 files changed, 117 insertions, 10 deletions

diff --git a/interface-definitions/container.xml.in b/interface-definitions/container.xml.in
index 7e1f4811a..94f2e92f5 100644
--- a/interface-definitions/container.xml.in
+++ b/interface-definitions/container.xml.in
@@ -21,9 +21,9 @@
               <valueless/>
             </properties>
           </leafNode>
-          <leafNode name="cap-add">
+          <leafNode name="capability">
             <properties>
-              <help>Container capabilities/permissions</help>
+              <help>Grant individual Linux capability to container instance</help>
               <completionHelp>
                 <list>net-admin net-bind-service net-raw setpcap sys-admin sys-module sys-time</list>
               </completionHelp>
diff --git a/interface-definitions/include/version/container-version.xml.i b/interface-definitions/include/version/container-version.xml.i
index 129469cec..ed6e942cd 100644
--- a/interface-definitions/include/version/container-version.xml.i
+++ b/interface-definitions/include/version/container-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/container-version.xml.i -->
-<syntaxVersion component='container' version='1'></syntaxVersion>
+<syntaxVersion component='container' version='2'></syntaxVersion>
 <!-- include end -->
diff --git a/smoketest/config-tests/container-simple b/smoketest/config-tests/container-simple
new file mode 100644
index 000000000..299af64cb
--- /dev/null
+++ b/smoketest/config-tests/container-simple
@@ -0,0 +1,12 @@
+set system config-management commit-revisions '50'
+set system host-name 'vyos'
+set system login user vyos authentication encrypted-password '$6$r/Yw/07NXNY$/ZB.Rjf9jxEV.BYoDyLdH.kH14rU52pOBtrX.4S34qlPt77chflCHvpTCq9a6huLzwaMR50rEICzA5GoIRZlM0'
+set system login user vyos authentication plaintext-password ''
+set system console device ttyS0 speed '115200'
+set container name c01 allow-host-networks
+set container name c01 capability 'net-bind-service'
+set container name c01 capability 'net-raw'
+set container name c01 image 'busybox:stable'
+set container name c02 allow-host-networks
+set container name c02 capability 'sys-time'
+set container name c02 image 'busybox:stable'
diff --git a/smoketest/configs/container-simple b/smoketest/configs/container-simple
new file mode 100644
index 000000000..05efe05e9
--- /dev/null
+++ b/smoketest/configs/container-simple
@@ -0,0 +1,46 @@
+container {
+    name c01 {
+        allow-host-networks
+        cap-add net-bind-service
+        cap-add net-raw
+        image busybox:stable
+    }
+    name c02 {
+        allow-host-networks
+        cap-add sys-time
+        image busybox:stable
+    }
+}
+interfaces {
+    ethernet eth0 {
+        duplex auto
+        speed auto
+    }
+    ethernet eth1 {
+        duplex auto
+        speed auto
+    }
+}
+system {
+    config-management {
+        commit-revisions 50
+    }
+    console {
+        device ttyS0 {
+            speed 115200
+        }
+    }
+    host-name vyos
+    login {
+        user vyos {
+            authentication {
+                encrypted-password $6$r/Yw/07NXNY$/ZB.Rjf9jxEV.BYoDyLdH.kH14rU52pOBtrX.4S34qlPt77chflCHvpTCq9a6huLzwaMR50rEICzA5GoIRZlM0
+                plaintext-password ""
+            }
+        }
+    }
+}
+
+// Warning: Do not remove the following line.
+// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@3:conntrack-sync@2:container@1:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@23:ipoe-server@1:ipsec@5:isis@1:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@8:rpki@1:salt@1:snmp@2:ssh@2:sstp@3:system@21:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1"
+// Release version: 1.3.6
diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py
index 910a92a7c..abd2c5f21 100755
--- a/src/conf_mode/container.py
+++ b/src/conf_mode/container.py
@@ -262,12 +262,11 @@ def generate_run_arguments(name, container_config):
     restart = container_config['restart']
 
     # Add capability options. Should be in uppercase
-    cap_add = ''
-    if 'cap_add' in container_config:
-        for c in container_config['cap_add']:
-            c = c.upper()
-            c = c.replace('-', '_')
-            cap_add += f' --cap-add={c}'
+    capabilities = ''
+    if 'capability' in container_config:
+        for cap in container_config['capability']:
+            cap = c.upper().replace('-', '_')
+            capabilities += f' --cap-add={cap}'
 
     # Add a host device to the container /dev/x:/dev/x
     device = ''
@@ -330,7 +329,7 @@ def generate_run_arguments(name, container_config):
             prop = vol_config['propagation']
             volume += f' --volume {svol}:{dvol}:{mode},{prop}'
 
-    container_base_cmd = f'--detach --interactive --tty --replace {cap_add} ' \
+    container_base_cmd = f'--detach --interactive --tty --replace {capabilities} ' \
                          f'--memory {memory}m --shm-size {shared_memory}m --memory-swap 0 --restart {restart} ' \
                          f'--name {name} {hostname} {device} {port} {volume} {env_opt} {label} {uid}'
 
diff --git a/src/migration-scripts/container/1-to-2 b/src/migration-scripts/container/1-to-2
new file mode 100755
index 000000000..408faf978
--- /dev/null
+++ b/src/migration-scripts/container/1-to-2
@@ -0,0 +1,50 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2024 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# T6208: container: rename "cap-add" CLI node to "capability"
+
+from sys import argv
+from sys import exit
+from vyos.configtree import ConfigTree
+
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+base = ['container', 'name']
+config = ConfigTree(config_file)
+
+# Check if containers exist and we need to perform image manipulation
+if not config.exists(base):
+    # Nothing to do
+    exit(0)
+
+for container in config.list_nodes(base):
+    cap_path = base + [container, 'cap-add']
+    if config.exists(cap_path):
+        config.rename(cap_path, 'capability')
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print(f'Failed to save the modified config: {e}')
+    exit(1)