Quadlet/Container: Add GroupAdd option

Co-authored-by: Ygal Blum <ygal.blum@gmail.com> Signed-off-by: Jonas Berlin <xkr47@outerspace.dyndns.org>
2025-05-17 15:18:43 +08:00 · 2024-05-04 11:05:08 +03:00
parent 6ec2c0b43b
commit 6d1098f823
4 changed files with 23 additions and 0 deletions
--- a/docs/source/markdown/podman-systemd.unit.5.md
+++ b/docs/source/markdown/podman-systemd.unit.5.md
@ -248,6 +248,7 @@ Valid options for `[Container]` are listed below:
 | GIDMap=0:10000:10                    | --gidmap=0:10000:10                                  |
 | GlobalArgs=--log-level=debug         | --log-level=debug                                    |
 | Group=1234                           | --user UID:1234                                      |
+| GroupAdd=keep-groups                 | --group-add=keep-groups                              |
 | HealthCmd=/usr/bin/command           | --health-cmd=/usr/bin/command                        |
 | HealthInterval=2m                    | --health-interval=2m                                 |
 | HealthOnFailure=kill                 | --health-on-failure=kill                             |
@ -440,6 +441,11 @@ This key can be listed multiple times.
 The (numeric) GID to run as inside the container. This does not need to match the GID on the host,
 which can be modified with `UsersNS`, but if that is not specified, this GID is also used on the host.

+### `GroupAdd=`
+
+Assign additional groups to the primary user running within the container process. Also supports the `keep-groups` special flag.
+Equivalent to the Podman `--group-add` option.
+
 ### `HealthCmd=`

 Set or alter a healthcheck command for a container. A value of none disables existing healthchecks.
--- a/pkg/systemd/quadlet/quadlet.go
+++ b/pkg/systemd/quadlet/quadlet.go
@ -82,6 +82,7 @@ const (
 	KeyGIDMap                = "GIDMap"
 	KeyGlobalArgs            = "GlobalArgs"
 	KeyGroup                 = "Group"
+	KeyGroupAdd              = "GroupAdd"
 	KeyHealthCmd             = "HealthCmd"
 	KeyHealthInterval        = "HealthInterval"
 	KeyHealthOnFailure       = "HealthOnFailure"
@ -187,6 +188,7 @@ var (
 		KeyGIDMap:                true,
 		KeyGlobalArgs:            true,
 		KeyGroup:                 true,
+		KeyGroupAdd:              true,
 		KeyHealthCmd:             true,
 		KeyHealthInterval:        true,
 		KeyHealthOnFailure:       true,
@ -672,6 +674,13 @@ func ConvertContainer(container *parser.UnitFile, names map[string]string, isUse
 		return nil, err
 	}

+	groupsAdd := container.LookupAll(ContainerGroup, KeyGroupAdd)
+	for _, groupAdd := range groupsAdd {
+		if len(groupAdd) > 0 {
+			podman.addf("--group-add=%s", groupAdd)
+		}
+	}
+
 	tmpfsValues := container.LookupAll(ContainerGroup, KeyTmpfs)
 	for _, tmpfs := range tmpfsValues {
 		if strings.Count(tmpfs, ":") > 1 {
--- a/test/e2e/quadlet/group-add.container
+++ b/test/e2e/quadlet/group-add.container
@ -0,0 +1,7 @@
+## assert-podman-args "--group-add=keep-groups"
+## assert-podman-args "--group-add=users"
+
+[Container]
+Image=localhost/imagename
+GroupAdd=keep-groups
+GroupAdd=users
--- a/test/e2e/quadlet_test.go
+++ b/test/e2e/quadlet_test.go
@ -783,6 +783,7 @@ BOGUS=foo
 		Entry("entrypoint.container", "entrypoint.container", 0, ""),
 		Entry("escapes.container", "escapes.container", 0, ""),
 		Entry("exec.container", "exec.container", 0, ""),
+		Entry("group-add.container", "group-add.container", 0, ""),
 		Entry("health.container", "health.container", 0, ""),
 		Entry("hostname.container", "hostname.container", 0, ""),
 		Entry("idmapping.container", "idmapping.container", 0, ""),