From 31a2faadf877ef9da34989ea8995c82685109f16 Mon Sep 17 00:00:00 2001 From: Adam Smith Date: Tue, 29 Apr 2025 01:16:29 -0400 Subject: T7412: Allow privileged containers --- interface-definitions/container.xml.in | 6 ++++++ src/conf_mode/container.py | 7 ++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/interface-definitions/container.xml.in b/interface-definitions/container.xml.in index 3a5cfbaa6..e3c601f1a 100644 --- a/interface-definitions/container.xml.in +++ b/interface-definitions/container.xml.in @@ -75,6 +75,12 @@ + + + Grant root capabilities to the container + + + Configure namespaced kernel parameters of the container diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py index 18d660a4e..94882fc14 100755 --- a/src/conf_mode/container.py +++ b/src/conf_mode/container.py @@ -324,6 +324,11 @@ def generate_run_arguments(name, container_config): cap = cap.upper().replace('-', '_') capabilities += f' --cap-add={cap}' + # Grant root capabilities to the container + privileged = '' + if 'privileged' in container_config: + privileged = '--privileged' + # Add a host device to the container /dev/x:/dev/x device = '' if 'device' in container_config: @@ -402,7 +407,7 @@ def generate_run_arguments(name, container_config): for ns in container_config['name_server']: name_server += f'--dns {ns}' - container_base_cmd = f'--detach --interactive --tty --replace {capabilities} --cpus {cpu_quota} {sysctl_opt} ' \ + container_base_cmd = f'--detach --interactive --tty --replace {capabilities} {privileged} --cpus {cpu_quota} {sysctl_opt} ' \ f'--memory {memory}m --shm-size {shared_memory}m --memory-swap 0 --restart {restart} ' \ f'--name {name} {hostname} {device} {port} {name_server} {volume} {tmpfs} {env_opt} {label} {uid} {host_pid}' -- cgit v1.2.3