diff --git a/cmd/podman/images/build.go b/cmd/podman/images/build.go index 89100e0dda..f4657e4daa 100644 --- a/cmd/podman/images/build.go +++ b/cmd/podman/images/build.go @@ -573,6 +573,7 @@ func buildFlagsWrapperToOptions(c *cobra.Command, contextDir string, flags *buil Err: stderr, ForceRmIntermediateCtrs: flags.ForceRm, From: flags.From, + GroupAdd: flags.GroupAdd, IDMappingOptions: idmappingOptions, In: stdin, Isolation: isolation, diff --git a/docs/source/markdown/podman-build.1.md.in b/docs/source/markdown/podman-build.1.md.in index cfe27b6f67..2535a90dc9 100644 --- a/docs/source/markdown/podman-build.1.md.in +++ b/docs/source/markdown/podman-build.1.md.in @@ -287,6 +287,20 @@ expected. For example, oci-archive:/x.tar will reference /x.tar on the remote machine instead of on the client. When using podman remote clients it is best to restrict use to *containers-storage*, and *docker:// transports*. +#### **--group-add**=*group* | *keep-groups* + +Assign additional groups to the primary user running within the container +process. + +- `keep-groups` is a special value that tells Buildah to keep the supplementary +group access. + +Allows container to use the user's supplementary group access. If file systems +or devices are only accessible by the rootless user's group, this flag tells the +OCI runtime to pass the group access into the container. Currently only +available with the `crun` OCI runtime. Note: `keep-groups` is exclusive, other +groups cannot be specified with this flag. + #### **--help**, **-h** Print usage statement diff --git a/pkg/api/Makefile b/pkg/api/Makefile index d07cf6f93b..49ebfb422e 100644 --- a/pkg/api/Makefile +++ b/pkg/api/Makefile @@ -10,4 +10,4 @@ serve: ${SWAGGER_OUT} ${SWAGGER_OUT}: # generate doesn't remove file on error rm -f ${SWAGGER_OUT} - swagger generate spec -o ${SWAGGER_OUT} -i tags.yaml -w ./ -m + swagger generate spec -x github.com/sigstore/rekor -o ${SWAGGER_OUT} -i tags.yaml -w ./ -m diff --git a/pkg/api/handlers/compat/images_build.go b/pkg/api/handlers/compat/images_build.go index 6e70682d48..ec53cea8cd 100644 --- a/pkg/api/handlers/compat/images_build.go +++ b/pkg/api/handlers/compat/images_build.go @@ -99,6 +99,7 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { Excludes string `schema:"excludes"` ForceRm bool `schema:"forcerm"` From string `schema:"from"` + GroupAdd []string `schema:"groupadd"` HTTPProxy bool `schema:"httpproxy"` IDMappingOptions string `schema:"idmappingoptions"` IdentityLabel bool `schema:"identitylabel"` @@ -665,6 +666,7 @@ func BuildImage(w http.ResponseWriter, r *http.Request) { Err: auxout, Excludes: excludes, ForceRmIntermediateCtrs: query.ForceRm, + GroupAdd: query.GroupAdd, From: fromImage, IDMappingOptions: &idMappingOptions, IgnoreUnrecognizedInstructions: query.Ignore, diff --git a/pkg/bindings/images/build.go b/pkg/bindings/images/build.go index 98686f6944..b58153a5a8 100644 --- a/pkg/bindings/images/build.go +++ b/pkg/bindings/images/build.go @@ -309,6 +309,10 @@ func Build(ctx context.Context, containerFiles []string, options entities.BuildO params.Add("volume", volume) } + for _, group := range options.GroupAdd { + params.Add("groupadd", group) + } + var err error var contextDir string if contextDir, err = filepath.EvalSymlinks(options.ContextDirectory); err == nil {