From 099406f1b9bcb917487ba799dfbc580b426cfc9c Mon Sep 17 00:00:00 2001
From: Adam Williamson <awilliam@redhat.com>
Date: Wed, 2 Jul 2025 20:08:18 -0700
Subject: [PATCH] openqa/worker tap: set CAP_NET_ADMIN on qemu

I have no idea why we didn't need this before, but we seem to
need it now.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
---
 roles/openqa/worker/tasks/tap-setup.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/roles/openqa/worker/tasks/tap-setup.yml b/roles/openqa/worker/tasks/tap-setup.yml
index 9e720e0858..0bd280e872 100644
--- a/roles/openqa/worker/tasks/tap-setup.yml
+++ b/roles/openqa/worker/tasks/tap-setup.yml
@@ -18,6 +18,12 @@
 - name: Enable ipv4_forward in sysctl
   sysctl: name=net.ipv4.ip_forward value=1 state=present sysctl_set=yes reload=yes
 
+- name: Set CAP_NET_ADMIN for qemu (needed for it to control tap devices)
+  community.general.capabilities:
+    path: "/usr/bin/qemu-system-{{ ansible_architecture }}"
+    capability: cap_net_admin+ep
+    state: present
+
 - name: Start openvswitch service
   service: name=openvswitch enabled=yes state=started