[stable-2.13] ansible-test - Support Podman 4.4.0+

(cherry picked from commit 67d49734f732f543c0b8d7713466c0aa3b8f484f)

Co-authored-by: Matt Clay <matt@mystile.com>

2 files changed, 9 insertions, 0 deletions

diff --git a/changelogs/fragments/ansible-test-podman-chroot.yml b/changelogs/fragments/ansible-test-podman-chroot.yml
new file mode 100644
index 0000000000..9f4f2d3843
--- /dev/null
+++ b/changelogs/fragments/ansible-test-podman-chroot.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - ansible-test - Support Podman 4.4.0+ by adding the ``SYS_CHROOT`` capability when running containers.
diff --git a/test/lib/ansible_test/_internal/host_profiles.py b/test/lib/ansible_test/_internal/host_profiles.py
index 7ff919367c..1c06c5f5c4 100644
--- a/test/lib/ansible_test/_internal/host_profiles.py
+++ b/test/lib/ansible_test/_internal/host_profiles.py
@@ -506,6 +506,13 @@ class DockerProfile(ControllerHostProfile[DockerConfig], SshTargetHostProfile[Do
 
         cgroup_version = get_docker_info(self.args).cgroup_version
 
+        # Podman 4.4.0 updated containers/common to 0.51.0, which removed the SYS_CHROOT capability from the default list.
+        # This capability is needed by services such as sshd, so is unconditionally added here.
+        # See: https://github.com/containers/podman/releases/tag/v4.4.0
+        # See: https://github.com/containers/common/releases/tag/v0.51.0
+        # See: https://github.com/containers/common/pull/1240
+        options.extend(('--cap-add', 'SYS_CHROOT'))
+
         # Without AUDIT_WRITE the following errors may appear in the system logs of a container after attempting to log in using SSH:
         #
         #   fatal: linux_audit_write_entry failed: Operation not permitted