Fix rootless systemd service

[YurNaybor]

I needed some small fixes to make rootless containers working with systemd. Hopefully this is of use for others, too.

[ikke-t]

Hmmm, didn't the auto update work for you without those links? Odd, for me the containers do update. I wonder if I did something manually then.

What comes to root owning the system files, this was discussed yearlier already. I purposely had root owning them as an extra security step.

[ikke-t]

This should do it: https://github.com/ikke-t/podman-container-systemd/blob/e720d245260b1e53ca6c3e324eb37a68d8fcb458/tasks/main.yml#L236

So I wonder is there bug somewhere that breaks it?

[YurNaybor]

Well I actually had two errors during the role execution:

1. "operation not permitted" at "create systemd service file for container", with "container_run_as_user = containers". This is logical, because it would effectively try to chown the files to root as non-root. If root ownership for the systemd units in rootless mode is really desired (which I highly doubt), one would have to add a second task for setting the permissions, without "become_user=..."

2. The activation of the auto update / timer service failed (at "ensure auto update is running for images"), because of "service not found". Here I am not completely sure how systemd's user scope works, but simply providing links to the services in the users' systemd folders solved the problem. I'm not actually interested in having the auto update running, but the role execution should be at least successful.

[ikke-t]

hi, sorry for such late reply, but it seems this now conflicts with the existing tree. Could you please rebase and check? There is the PR conflicting which made the service file ownership to be set separately.