@@ -1,11 +1,11 @@

 default name=ansible/ansible:default@sha256:b651e5964e192c12ef574646a9c724e72fd94615d37d47ffad986408b2097a07

-centos6 name=quay.io/ansible/centos6-test-container:1.4.0

-centos7 name=quay.io/ansible/centos7-test-container:1.4.0

-fedora24 name=quay.io/ansible/fedora24-test-container:1.4.0

-fedora25 name=quay.io/ansible/fedora25-test-container:1.4.0

+centos6 name=quay.io/ansible/centos6-test-container:1.4.0 seccomp=unconfined

+centos7 name=quay.io/ansible/centos7-test-container:1.4.0 seccomp=unconfined

+fedora24 name=quay.io/ansible/fedora24-test-container:1.4.0 seccomp=unconfined

+fedora25 name=quay.io/ansible/fedora25-test-container:1.4.0 seccomp=unconfined

 fedora26py3 name=quay.io/ansible/fedora26py3-test-container:1.4.0

 fedora27py3 name=quay.io/ansible/fedora27py3-test-container:1.4.0

-opensuse42.3 name=quay.io/ansible/opensuse42.3-test-container:1.4.0

-ubuntu1404 name=quay.io/ansible/ubuntu1404-test-container:1.4.0

-ubuntu1604 name=quay.io/ansible/ubuntu1604-test-container:1.4.0

-ubuntu1604py3 name=quay.io/ansible/ubuntu1604py3-test-container:1.4.0

+opensuse42.3 name=quay.io/ansible/opensuse42.3-test-container:1.4.0 seccomp=unconfined

+ubuntu1404 name=quay.io/ansible/ubuntu1404-test-container:1.4.0 seccomp=unconfined

+ubuntu1604 name=quay.io/ansible/ubuntu1604-test-container:1.4.0 seccomp=unconfined

+ubuntu1604py3 name=quay.io/ansible/ubuntu1604py3-test-container:1.4.0 seccomp=unconfined

@@ -11,6 +11,7 @@ from lib.util import (

     docker_qualify_image,

     find_python,

     generate_pip_command,

+    get_docker_completion,

 )

 from lib.metadata import (

@@ -46,8 +47,12 @@ class EnvironmentConfig(CommonConfig):

         self.docker_privileged = args.docker_privileged if 'docker_privileged' in args else False  # type: bool

         self.docker_pull = args.docker_pull if 'docker_pull' in args else False  # type: bool

         self.docker_keep_git = args.docker_keep_git if 'docker_keep_git' in args else False  # type: bool

+        self.docker_seccomp = args.docker_seccomp if 'docker_seccomp' in args else None  # type: str

         self.docker_memory = args.docker_memory if 'docker_memory' in args else None

+        if self.docker_seccomp is None:

+            self.docker_seccomp = get_docker_completion().get(self.docker_raw, {}).get('seccomp', 'default')

+

         self.tox_sitepackages = args.tox_sitepackages  # type: bool

         self.remote_stage = args.remote_stage  # type: str

@@ -238,6 +238,9 @@ def delegate_docker(args, exclude, require, integration_targets):

             docker_socket = '/var/run/docker.sock'

+            if args.docker_seccomp != 'default':

+                test_options += ['--security-opt', 'seccomp=%s' % args.docker_seccomp]

+

             if os.path.exists(docker_socket):

                 test_options += ['--volume', '%s:%s' % (docker_socket, docker_socket)]

@@ -651,6 +651,12 @@ def add_extra_docker_options(parser, integration=True):

                         action='store_true',

                         help='transfer git related files into the docker container')

+    docker.add_argument('--docker-seccomp',

+                        metavar='SC',

+                        choices=('default', 'unconfined'),

+                        default=None,

+                        help='set seccomp confinement for the test container: %(choices)s')

+

     if not integration:

         return