test container: Add DAC_READ_SEARCH capability

SSSD 2.10+ runs under non-privileged user 'sssd' and relies on system
capabilities to get access to certain resources like /etc/krb5.keytab.
Not having these capabilities result in SSSD not starting.

Podman has reduced the capabilities granted to containers, and to be
able to start SSSD it is needed to add DAC_READ_SEARCH back.

This patch adds file infra/images/shdefaults to store the defaults used
by ansible-freeipa shell utilities in a contral location.

See:  https://github.com/containers/podman/discussions/24904#discussioncomment-11718823

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>

infra/image/shcontainer

@@ -4,13 +4,18 @@
 SCRIPTDIR="$(dirname -- "$(readlink -f "${BASH_SOURCE[0]}")")"
 TOPDIR="$(readlink -f "${SCRIPTDIR}/../..")"
 
+. "${SCRIPTDIR}/shdefaults"
+
+# shellcheck disable=SC1091
 . "${TOPDIR}/utils/shfun"
 
 container_create() {
     local name=${1}
     local image=${2}
     shift 2
-    declare -a extra_opts=()
+    declare -a extra_opts
+    readarray -t extra_opts < \
+        <(sed -e "s/-/--cap-drop=/g" -e "s/+/--cap-add=/g" <<< "${CAP_DEFAULTS[@]}")
     for opt in "$@"
     do
         [ -z "${opt}" ] && continue

infra/image/shdefaults

@@ -0,0 +1,8 @@
+#!/bin/bash -eu
+# This file is meant to be source'd by other scripts
+
+# Set default capabilities options for freeipa containers.
+# Use +CAP to add the capability and -CAP to drop the capability.
+CAP_DEFAULTS=(
+    "+DAC_READ_SEARCH"  # Required for SSSD
+)