T7412: Allow privileged containers

2 files changed, 12 insertions, 1 deletions

diff --git a/interface-definitions/container.xml.in b/interface-definitions/container.xml.in
index 3a5cfbaa6..e3c601f1a 100644
--- a/interface-definitions/container.xml.in
+++ b/interface-definitions/container.xml.in
@@ -75,6 +75,12 @@
               <multi/>
             </properties>
           </leafNode>
+          <leafNode name="privileged">
+             <properties>
+               <help>Grant root capabilities to the container</help>
+               <valueless/>
+             </properties>
+           </leafNode>
           <node name="sysctl">
             <properties>
               <help>Configure namespaced kernel parameters of the container</help>
diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py
index 18d660a4e..94882fc14 100755
--- a/src/conf_mode/container.py
+++ b/src/conf_mode/container.py
@@ -324,6 +324,11 @@ def generate_run_arguments(name, container_config):
             cap = cap.upper().replace('-', '_')
             capabilities += f' --cap-add={cap}'
 
+    # Grant root capabilities to the container
+    privileged = ''
+    if 'privileged' in container_config:
+        privileged = '--privileged'
+
     # Add a host device to the container /dev/x:/dev/x
     device = ''
     if 'device' in container_config:
@@ -402,7 +407,7 @@ def generate_run_arguments(name, container_config):
         for ns in container_config['name_server']:
             name_server += f'--dns {ns}'
 
-    container_base_cmd = f'--detach --interactive --tty --replace {capabilities} --cpus {cpu_quota} {sysctl_opt} ' \
+    container_base_cmd = f'--detach --interactive --tty --replace {capabilities} {privileged} --cpus {cpu_quota} {sysctl_opt} ' \
                          f'--memory {memory}m --shm-size {shared_memory}m --memory-swap 0 --restart {restart} ' \
                          f'--name {name} {hostname} {device} {port} {name_server} {volume} {tmpfs} {env_opt} {label} {uid} {host_pid}'