search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
23.35k stars 2.38k forks source link

Quadlet breaks when User= is specified in [Service] section #22970

Closed nicoya closed 3 months ago

nicoya commented 3 months ago

Issue Description

In attempting to get a container running as non-root, I'm using the following quadlet configuration.

ubb:/etc/containers/systemd# cat ubb-roundcube.kube 
[Unit]
Description=RoundCube email client

[Kube]
Yaml=/opt/roundcube/roundcube.yaml

[Service]
User=roundcube
WorkingDirectory=/opt/roundcube
Restart=always

[Install]
WantedBy=multi-user.target

Which generates this systemd spec

ubb:/etc/containers/systemd# /usr/lib/systemd/system-generators/podman-system-generator --dryrun
quadlet-generator[3589233]: Error occurred resolving path "/usr/share/containers/systemd": lstat /usr/share/containers/systemd: no such file or directory
quadlet-generator[3589233]: Loading source unit file /etc/containers/systemd/ubb-roundcube.kube
---ubb-roundcube.service---
[Unit]
Description=RoundCube email client
SourcePath=/etc/containers/systemd/ubb-roundcube.kube
RequiresMountsFor=%t/containers

[X-Kube]
Yaml=/opt/roundcube/roundcube.yaml

[Service]
User=roundcube
WorkingDirectory=/opt/roundcube
Restart=always
KillMode=mixed
Environment=PODMAN_SYSTEMD_UNIT=%n
Type=notify
NotifyAccess=all
SyslogIdentifier=%N
ExecStart=/usr/bin/podman kube play --replace --service-container=true /opt/roundcube/roundcube.yaml
ExecStopPost=/usr/bin/podman kube down /opt/roundcube/roundcube.yaml

[Install]
WantedBy=multi-user.target

Running this service results in the following error messages

Jun 11 16:34:04 ubb systemd[1]: Starting ubb-roundcube.service - RoundCube email client...
░░ Subject: A start job for unit ubb-roundcube.service has begun execution
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ 
░░ A start job for unit ubb-roundcube.service has begun execution.
░░ 
░░ The job identifier is 187629.
Jun 11 16:34:07 ubb systemd[1]: ubb-roundcube.service: Failed with result 'protocol'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ 
░░ The unit ubb-roundcube.service has entered the 'failed' state with result 'protocol'.
Jun 11 16:34:07 ubb systemd[1]: Failed to start ubb-roundcube.service - RoundCube email client.
░░ Subject: A start job for unit ubb-roundcube.service has failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ 
░░ A start job for unit ubb-roundcube.service has finished with a failure.
░░ 
░░ The job identifier is 187629 and the job result is failed.

Commenting out the User=roundcube line however results in the pod successfully running (as root). I can also successfully run the pod by doing sudo -u roundcube podman kube play roundcube.yaml.

Steps to reproduce the issue

Steps to reproduce the issue

  1. Make a quadlet file with User= line specifying a non-root user
  2. Run quadlet via systemctl

Describe the results you received

Container should run as the specified non-root user.

Describe the results you expected

Container does not run successfully

podman info output

host:
  arch: amd64
  buildahVersion: 1.33.7
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon_2.1.10+ds1-1+b1_amd64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: unknown'
  cpuUtilization:
    idlePercent: 88.06
    systemPercent: 4.35
    userPercent: 7.58
  cpus: 8
  databaseBackend: boltdb
  distribution:
    codename: trixie
    distribution: debian
    version: unknown
  eventLogger: journald
  freeLocks: 2048
  hostname: ubb
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.7.12-amd64
  linkmode: dynamic
  logDriver: journald
  memFree: 655499264
  memTotal: 33598926848
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns_1.4.0-5_amd64
      path: /usr/lib/podman/aardvark-dns
      version: aardvark-dns 1.4.0
    package: netavark_1.4.0-4.1_amd64
    path: /usr/lib/podman/netavark
    version: netavark 1.4.0
  ociRuntime:
    name: crun
    package: crun_1.15-1_amd64
    path: /usr/bin/crun
    version: |-
      crun version 1.15
      commit: e6eacaf4034e84185fd8780ac9262bbf57082278
      rundir: /run/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt_0.0~git20240426.d03c4e2-1_amd64
    version: |
      pasta 0.0~git20240426.d03c4e2-1
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: true
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns_1.2.1-1+b1_amd64
    version: |-
      slirp4netns version 1.2.1
      commit: 09e31e92fa3d2a1d3ca261adaeb012c8d75a8194
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.5
  swapFree: 0
  swapTotal: 0
  uptime: 574h 49m 14.00s (Approximately 23.92 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - docker.io
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 3998638669824
  graphRootUsed: 573386256384
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 6
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.9.4
  Built: 0
  BuiltTime: Wed Dec 31 16:00:00 1969
  GitCommit: ""
  GoVersion: go1.22.1
  Os: linux
  OsArch: linux/amd64
  Version: 4.9.4

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

No

Additional environment details

No response

Additional information

No response

Luap99 commented 3 months ago

User= is not supported, see https://github.com/containers/podman/discussions/20573