Add support for podman build --group-add

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

cmd/podman/images/build.go

@@ -573,6 +573,7 @@ func buildFlagsWrapperToOptions(c *cobra.Command, contextDir string, flags *buil
 		Err:                     stderr,
 		ForceRmIntermediateCtrs: flags.ForceRm,
 		From:                    flags.From,
+		GroupAdd:                flags.GroupAdd,
 		IDMappingOptions:        idmappingOptions,
 		In:                      stdin,
 		Isolation:               isolation,

docs/source/markdown/podman-build.1.md.in

@@ -287,6 +287,20 @@ expected. For example, oci-archive:/x.tar will reference /x.tar on the remote
 machine instead of on the client. When using podman remote clients it is
 best to restrict use to *containers-storage*, and *docker:// transports*.
 
+#### **--group-add**=*group* | *keep-groups*
+
+Assign additional groups to the primary user running within the container
+process.
+
+- `keep-groups` is a special value that tells Buildah to keep the supplementary
+group access.
+
+Allows container to use the user's supplementary group access. If file systems
+or devices are only accessible by the rootless user's group, this flag tells the
+OCI runtime to pass the group access into the container. Currently only
+available with the `crun` OCI runtime. Note: `keep-groups` is exclusive, other
+groups cannot be specified with this flag.
+
 #### **--help**, **-h**
 
 Print usage statement

pkg/api/Makefile

@@ -10,4 +10,4 @@ serve: ${SWAGGER_OUT}
 ${SWAGGER_OUT}:
 	# generate doesn't remove file on error
 	rm -f ${SWAGGER_OUT}
-	swagger generate spec -o ${SWAGGER_OUT} -i tags.yaml -w ./ -m
+	swagger generate spec -x github.com/sigstore/rekor -o ${SWAGGER_OUT} -i tags.yaml -w ./ -m

pkg/api/handlers/compat/images_build.go

@@ -99,6 +99,7 @@ func BuildImage(w http.ResponseWriter, r *http.Request) {
 		Excludes                string   `schema:"excludes"`
 		ForceRm                 bool     `schema:"forcerm"`
 		From                    string   `schema:"from"`
+		GroupAdd                []string `schema:"groupadd"`
 		HTTPProxy               bool     `schema:"httpproxy"`
 		IDMappingOptions        string   `schema:"idmappingoptions"`
 		IdentityLabel           bool     `schema:"identitylabel"`
@@ -665,6 +666,7 @@ func BuildImage(w http.ResponseWriter, r *http.Request) {
 		Err:                            auxout,
 		Excludes:                       excludes,
 		ForceRmIntermediateCtrs:        query.ForceRm,
+		GroupAdd:                       query.GroupAdd,
 		From:                           fromImage,
 		IDMappingOptions:               &idMappingOptions,
 		IgnoreUnrecognizedInstructions: query.Ignore,

pkg/bindings/images/build.go

@@ -309,6 +309,10 @@ func Build(ctx context.Context, containerFiles []string, options entities.BuildO
 		params.Add("volume", volume)
 	}
 
+	for _, group := range options.GroupAdd {
+		params.Add("groupadd", group)
+	}
+
 	var err error
 	var contextDir string
 	if contextDir, err = filepath.EvalSymlinks(options.ContextDirectory); err == nil {