mirror of
https://github.com/containers/podman.git
synced 2026-02-05 15:45:08 +01:00
Quadlet - Error when units define User, Group, or DynamicUser in Service group
Fixes: #26543 Signed-off-by: Evan Miller <miller.evan815@gmail.com>
This commit is contained in:
Evan Miller
@@ -78,6 +78,12 @@ session gets started. For unit files placed in subdirectories within
|
||||
/etc/containers/systemd/user/${UID}/ and the other user unit search paths,
|
||||
Quadlet will recursively search and run the unit files present in these subdirectories.
|
||||
|
||||
Note that Quadlet units do not support running as a non-root user by defining the
|
||||
[User, Group](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#User=),
|
||||
or [DynamicUser](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#DynamicUser=)
|
||||
systemd options. If you want to run a rootless Quadlet, you will need to create the user
|
||||
and add the unit file to one of the above rootless unit search paths.
|
||||
|
||||
Note: When a Quadlet is starting, Podman often pulls or builds one more container images which may take a considerable amount of time.
|
||||
Systemd defaults service start time to 90 seconds, or fails the service. Pre-pulling the image or extending
|
||||
the systemd timeout time for the service using the *TimeoutStartSec* Service option can fix the problem.
|
||||
|
||||
@@ -186,6 +186,9 @@ const (
|
||||
KeyYaml = "Yaml"
|
||||
)
|
||||
|
||||
// Unsupported keys in the Service group. Defined here so we can error when they are found
|
||||
var UnsupportedServiceKeys = [...]string{"User", "Group", "DynamicUser"}
|
||||
|
||||
type UnitInfo struct {
|
||||
// The name of the generated systemd service unit
|
||||
ServiceName string
|
||||
@@ -2245,6 +2248,14 @@ func initServiceUnitFile(quadletUnitFile *parser.UnitFile, isUser bool, unitsInf
|
||||
return nil, nil, err
|
||||
}
|
||||
|
||||
// These Service keys cannot be used in a Quadlet unit
|
||||
for _, key := range UnsupportedServiceKeys {
|
||||
_, hasKey := quadletUnitFile.Lookup(ServiceGroup, key)
|
||||
if hasKey {
|
||||
return nil, nil, fmt.Errorf("using key %s in the Service group is not supported", key)
|
||||
}
|
||||
}
|
||||
|
||||
service := quadletUnitFile.Dup()
|
||||
service.Filename = unitInfo.ServiceFileName()
|
||||
|
||||
|
||||
4
test/e2e/quadlet/service-dynamicuser.build
Normal file
4
test/e2e/quadlet/service-dynamicuser.build
Normal file
@@ -0,0 +1,4 @@
|
||||
## assert-failed
|
||||
## assert-stderr-contains "using key DynamicUser in the Service group is not supported"
|
||||
[Service]
|
||||
DynamicUser=foobar
|
||||
4
test/e2e/quadlet/service-dynamicuser.container
Normal file
4
test/e2e/quadlet/service-dynamicuser.container
Normal file
@@ -0,0 +1,4 @@
|
||||
## assert-failed
|
||||
## assert-stderr-contains "using key DynamicUser in the Service group is not supported"
|
||||
[Service]
|
||||
DynamicUser=foobar
|
||||
4
test/e2e/quadlet/service-dynamicuser.image
Normal file
4
test/e2e/quadlet/service-dynamicuser.image
Normal file
@@ -0,0 +1,4 @@
|
||||
## assert-failed
|
||||
## assert-stderr-contains "using key DynamicUser in the Service group is not supported"
|
||||
[Service]
|
||||
DynamicUser=foobar
|
||||
4
test/e2e/quadlet/service-dynamicuser.kube
Normal file
4
test/e2e/quadlet/service-dynamicuser.kube
Normal file
@@ -0,0 +1,4 @@
|
||||
## assert-failed
|
||||
## assert-stderr-contains "using key DynamicUser in the Service group is not supported"
|
||||
[Service]
|
||||
DynamicUser=foobar
|
||||
4
test/e2e/quadlet/service-dynamicuser.network
Normal file
4
test/e2e/quadlet/service-dynamicuser.network
Normal file
@@ -0,0 +1,4 @@
|
||||
## assert-failed
|
||||
## assert-stderr-contains "using key DynamicUser in the Service group is not supported"
|
||||
[Service]
|
||||
DynamicUser=foobar
|
||||
4
test/e2e/quadlet/service-dynamicuser.pod
Normal file
4
test/e2e/quadlet/service-dynamicuser.pod
Normal file
@@ -0,0 +1,4 @@
|
||||
## assert-failed
|
||||
## assert-stderr-contains "using key DynamicUser in the Service group is not supported"
|
||||
[Service]
|
||||
DynamicUser=foobar
|
||||
4
test/e2e/quadlet/service-dynamicuser.volume
Normal file
4
test/e2e/quadlet/service-dynamicuser.volume
Normal file
@@ -0,0 +1,4 @@
|
||||
## assert-failed
|
||||
## assert-stderr-contains "using key DynamicUser in the Service group is not supported"
|
||||
[Service]
|
||||
DynamicUser=foobar
|
||||
9
test/e2e/quadlet/service-group.container
Normal file
9
test/e2e/quadlet/service-group.container
Normal file
@@ -0,0 +1,9 @@
|
||||
## assert-failed
|
||||
## assert-stderr-contains "using key Group in the Service group is not supported"
|
||||
[Container]
|
||||
# This is fine
|
||||
Group=1000
|
||||
|
||||
[Service]
|
||||
# This isn't
|
||||
Group=1000
|
||||
9
test/e2e/quadlet/service-user.container
Normal file
9
test/e2e/quadlet/service-user.container
Normal file
@@ -0,0 +1,9 @@
|
||||
## assert-failed
|
||||
## assert-stderr-contains "using key User in the Service group is not supported"
|
||||
[Container]
|
||||
# This is fine
|
||||
User=1000
|
||||
|
||||
[Service]
|
||||
# This isn't
|
||||
User=1000
|
||||
@@ -1126,6 +1126,16 @@ BOGUS=foo
|
||||
Entry("Build - Neither WorkingDirectory nor File Key", "neither-workingdirectory-nor-file.build", "converting \"neither-workingdirectory-nor-file.build\": neither SetWorkingDirectory, nor File key specified"),
|
||||
Entry("Build - No ImageTag Key", "no-imagetag.build", "converting \"no-imagetag.build\": no ImageTag key specified"),
|
||||
Entry("emptyline.container", "emptyline.container", "converting \"emptyline.container\": no Image or Rootfs key specified"),
|
||||
|
||||
Entry("Unsupported Service Key - User", "service-user.container", "converting \"service-user.container\": using key User in the Service group is not supported"),
|
||||
Entry("Unsupported Service Key - Group", "service-group.container", "converting \"service-group.container\": using key Group in the Service group is not supported"),
|
||||
Entry("Unsupported Service Key - DynamicUser.build", "service-dynamicuser.build", "converting \"service-dynamicuser.build\": using key DynamicUser in the Service group is not supported"),
|
||||
Entry("Unsupported Service Key - DynamicUser.container", "service-dynamicuser.container", "converting \"service-dynamicuser.container\": using key DynamicUser in the Service group is not supported"),
|
||||
Entry("Unsupported Service Key - DynamicUser.image", "service-dynamicuser.image", "converting \"service-dynamicuser.image\": using key DynamicUser in the Service group is not supported"),
|
||||
Entry("Unsupported Service Key - DynamicUser.kube", "service-dynamicuser.kube", "converting \"service-dynamicuser.kube\": using key DynamicUser in the Service group is not supported"),
|
||||
Entry("Unsupported Service Key - DynamicUser.network", "service-dynamicuser.network", "converting \"service-dynamicuser.network\": using key DynamicUser in the Service group is not supported"),
|
||||
Entry("Unsupported Service Key - DynamicUser.pod", "service-dynamicuser.pod", "converting \"service-dynamicuser.pod\": using key DynamicUser in the Service group is not supported"),
|
||||
Entry("Unsupported Service Key - DynamicUser.volume", "service-dynamicuser.volume", "converting \"service-dynamicuser.volume\": using key DynamicUser in the Service group is not supported"),
|
||||
)
|
||||
|
||||
DescribeTable("Running success quadlet with ServiceName test case",
|
||||
|
||||
Reference in New Issue
Block a user