systemd User= directive not supported, why?

[soinu]

According to #6582 (comment) and #5572 (comment) the User= directive is not supported by podman.

I wonder why this is not supported as it works just fine, with root and rootless, as far as I could test. What are the exact issues except you need to modify the podman generated systemd files a little bit?

[mheon]

Generally speaking, Podman (when managed by systemd) is run as Type=forking with PID files to inform systemd of the PID of the container (not Podman - Conmon and the container will double-fork to daemonize after being launched, to ensure they survive if the Podman process exits). Unfortunately, this doesn't work when the User directive is specified, as systemd expects all PID files to be owned by root. Podman will not be running as root in this case (because systemd launched it as a different user) and as such systemd will refuse to read the PID file.

We have plans to convert the default for our unit files to Type=sdnotify (code changes are required that haven't made it in yet). Once this happens, it may be possible. There are still issues related to this (systemd does not create a user session for users running a service, so the user will likely need to have lingering enabled via loginctl enable-linger, for example) but they are smaller and can be worked around.

[soinu]

Unfortunately, this doesn't work when the User directive is specified, as systemd expects all PID files to be owned by root.

Are you sure? I use PIDFile=/tmp/container-example.pid and this file is owned by the specified (non root) User= which is working just fine.

[soinu]

Oh and I am also using Type=simple instead of Type=forking

[mheon]

Type=simple is the reason it seems to be working, but it is also incorrect. With Type=simple you are tracking the Podman process, not the container process - the two are not the same. The Podman process can be killed and the container will still continue running. We've seen serious issues around this before, which is why we use Type=forking

[vrothberg]

Update: Type=notify has been implemented in the meantime. Hence, the MainPID issue is not causing trouble anymore. The next thing in line is that systemd does not change the user information to the specified User=; it continues referring to root. That makes it (almost?) impossible to create units that would run on more than one machine.

I think that's something we need to give some priority this year. Using systemctl as root with services changing to non-root users is a common pattern for sys admins, especially for discoverability.

Cc @fatherlinux since we chatted about this very topic last week.

[ljrk0]

I'm just leaving the link to the current tracking/open issue in this problem space here:
#12778

... since it's kind-of hard to find, given all the other smaller issues such as
#5572
#6582 (dup of #5572)
#10557 (fixes #5572).

I hope this makes it simpler to connect all the discussion so far :)