diff --git a/pkg/systemd/quadlet/quadlet.go b/pkg/systemd/quadlet/quadlet.go index d90de98f8e..782eda506d 100644 --- a/pkg/systemd/quadlet/quadlet.go +++ b/pkg/systemd/quadlet/quadlet.go @@ -615,18 +615,8 @@ func ConvertContainer(container *parser.UnitFile, names map[string]string, isUse podman.add("--read-only-tmpfs=false") } - hasUser := container.HasKey(ContainerGroup, KeyUser) - hasGroup := container.HasKey(ContainerGroup, KeyGroup) - if hasUser || hasGroup { - uid := container.LookupUint32(ContainerGroup, KeyUser, 0) - gid := container.LookupUint32(ContainerGroup, KeyGroup, 0) - - podman.add("--user") - if hasGroup { - podman.addf("%d:%d", uid, gid) - } else { - podman.addf("%d", uid) - } + if err := handleUser(container, ContainerGroup, podman); err != nil { + return nil, err } if workdir, exists := container.Lookup(ContainerGroup, KeyWorkingDir); exists { @@ -1225,6 +1215,30 @@ func ConvertImage(image *parser.UnitFile) (*parser.UnitFile, string, error) { return service, imageName, nil } +func handleUser(unitFile *parser.UnitFile, groupName string, podman *PodmanCmdline) error { + user, hasUser := unitFile.Lookup(groupName, KeyUser) + okUser := hasUser && len(user) > 0 + + group, hasGroup := unitFile.Lookup(groupName, KeyGroup) + okGroup := hasGroup && len(group) > 0 + + if !okUser { + if okGroup { + return fmt.Errorf("invalid Group set without User") + } + return nil + } + + if !okGroup { + podman.add("--user", user) + return nil + } + + podman.addf("--user=%s:%s", user, group) + + return nil +} + func handleUserRemap(unitFile *parser.UnitFile, groupName string, podman *PodmanCmdline, isUser, supportManual bool) error { // ignore Remap keys if UserNS is set if userns, ok := unitFile.Lookup(groupName, KeyUserNS); ok && len(userns) > 0 { diff --git a/test/e2e/quadlet/group.container b/test/e2e/quadlet/group.container new file mode 100644 index 0000000000..4697b31029 --- /dev/null +++ b/test/e2e/quadlet/group.container @@ -0,0 +1,6 @@ +## assert-failed +## assert-stderr-contains "Group set without User" + +[Container] +Image=localhost/imagename +Group=foobar diff --git a/test/e2e/quadlet/user.container b/test/e2e/quadlet/user.container index cfd1c58232..6b1834415b 100644 --- a/test/e2e/quadlet/user.container +++ b/test/e2e/quadlet/user.container @@ -1,5 +1,5 @@ ## assert-podman-final-args localhost/imagename -## assert-podman-args "--user" "998:999" +## assert-podman-args "--user=998:999" [Container] Image=localhost/imagename diff --git a/test/e2e/quadlet/user1.container b/test/e2e/quadlet/user1.container new file mode 100644 index 0000000000..361a20a5f0 --- /dev/null +++ b/test/e2e/quadlet/user1.container @@ -0,0 +1,6 @@ +## assert-podman-final-args localhost/imagename +## assert-podman-args "--user=%U:%G" + +[Container] +Image=localhost/imagename +User=%U:%G diff --git a/test/e2e/quadlet/user2.container b/test/e2e/quadlet/user2.container new file mode 100644 index 0000000000..5a4b1476b8 --- /dev/null +++ b/test/e2e/quadlet/user2.container @@ -0,0 +1,7 @@ +## assert-podman-final-args localhost/imagename +## assert-podman-args "--user=%U:%G" + +[Container] +Image=localhost/imagename +User=%U +Group=%G