container: T6210: add capability sys-nice

[theflakes]

Change Summary

Adding sys-nice as an option for container cap-add configuration. This is needed for Suricata v7.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe): Just adding a Vyos config option for functionality that already exists in podman.

Related Task(s)

https://vyos.dev/T6210

Related PR(s)

Component(s) name

container

Proposed changes

How to test

Configured container to run latest version of containerized Suricata. Running Vyos on my home router with Suricata v7 running as a container. Running on N305 Intel CPU with 32GB RAM.

container {
    name suricata {
        allow-host-networks
        arguments "-q 1 -q 2 -q 3 -q 4"
        cap-add net-admin
        cap-add sys-admin
        cap-add sys-nice
        image jasonish/suricata:latest
        memory 8192
        volume ETC {
            destination /etc/suricata
            source /config/suricata/etc
        }
        volume LOGS {
            destination /var/log/suricata
            source /config/suricata/logs
        }
        volume RULES {
            destination /var/lib/suricata
            source /config/suricata/rules
        }
    }
}

Smoketest result

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

[l0crian1]

Can you add it to the completionHelp list and add a valueHelp element?

[sever-sever]

Read please contributing document that you marked as “read”.
There are no tasks on phabricator, no task number in the commit message, no task number in the PR header.

We’ll close the PR as it is not formatted correctly.

And addition you should use “commit —amend” and and “push —force” to override the previous commit

[c-po]

I wonder if we should take the last change in 1.4.0-epa3 to rename the node from cap-add to capability which is what it actually does, providing a system capability to the container.

[dmbaturin]

@c-po I tend to agree, let's rename it while we can. But I wonder if we should add a migration script to help people who used earlier versions of 1.4 pre-release builds.

@theflakes And, yes, please check out the contributing guide and follow the procedure. Not having corresponding tasks and not having commits and PRs linked to tasks makes release notes writing a real headache, it's important for tracking changes across multiple repositories.

[c-po]

@c-po I tend to agree, let's rename it while we can. But I wonder if we should add a migration script to help people who used earlier versions of 1.4 pre-release builds.

Tracked via https://vyos.dev/T6208 - migrator will be implemented

[theflakes]

Sorry about that, I'm getting an account registered to then create the task.

[c-po]

Please drop the plural here

[theflakes]

done and thanks

[c-po]

@Mergifyio backport sagitta

[mergify]

backport sagitta

✅ Backports have been created

• #3285 container: T6210: add capability sys-nice (backport #3259) has been created for branch sagitta