Allow systemd specifiers in User and Group Quadlet keys

Replaces: https://github.com/containers/podman/pull/18262 Signed-off-by: Tom Mombourquette <tom@devnode.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2025-06-21 09:28:09 +08:00 · 2023-10-18 06:08:28 -04:00
parent ef2392f21c
commit 285718915c
5 changed files with 46 additions and 13 deletions
--- a/pkg/systemd/quadlet/quadlet.go
+++ b/pkg/systemd/quadlet/quadlet.go
@ -615,18 +615,8 @@ func ConvertContainer(container *parser.UnitFile, names map[string]string, isUse
 		podman.add("--read-only-tmpfs=false")
 	}
-	hasUser := container.HasKey(ContainerGroup, KeyUser)
+	if err := handleUser(container, ContainerGroup, podman); err != nil {
-	hasGroup := container.HasKey(ContainerGroup, KeyGroup)
+		return nil, err
 	if hasUser || hasGroup {
 		uid := container.LookupUint32(ContainerGroup, KeyUser, 0)
 		gid := container.LookupUint32(ContainerGroup, KeyGroup, 0)
 		podman.add("--user")
 		if hasGroup {
 			podman.addf("%d:%d", uid, gid)
 		} else {
 			podman.addf("%d", uid)
 		}
 	}
 	if workdir, exists := container.Lookup(ContainerGroup, KeyWorkingDir); exists {
@ -1225,6 +1215,30 @@ func ConvertImage(image *parser.UnitFile) (*parser.UnitFile, string, error) {
 	return service, imageName, nil
 }
 func handleUser(unitFile *parser.UnitFile, groupName string, podman *PodmanCmdline) error {
 	user, hasUser := unitFile.Lookup(groupName, KeyUser)
 	okUser := hasUser && len(user) > 0
 	group, hasGroup := unitFile.Lookup(groupName, KeyGroup)
 	okGroup := hasGroup && len(group) > 0
 	if !okUser {
 		if okGroup {
 			return fmt.Errorf("invalid Group set without User")
 		}
 		return nil
 	}
 	if !okGroup {
 		podman.add("--user", user)
 		return nil
 	}
 	podman.addf("--user=%s:%s", user, group)
 	return nil
 }
 func handleUserRemap(unitFile *parser.UnitFile, groupName string, podman *PodmanCmdline, isUser, supportManual bool) error {
 	// ignore Remap keys if UserNS is set
 	if userns, ok := unitFile.Lookup(groupName, KeyUserNS); ok && len(userns) > 0 {
--- a/test/e2e/quadlet/group.container
+++ b/test/e2e/quadlet/group.container
@ -0,0 +1,6 @@
 ## assert-failed
 ## assert-stderr-contains "Group set without User"
 [Container]
 Image=localhost/imagename
 Group=foobar
--- a/test/e2e/quadlet/user.container
+++ b/test/e2e/quadlet/user.container
@ -1,5 +1,5 @@
 ## assert-podman-final-args localhost/imagename
-## assert-podman-args "--user" "998:999"
+## assert-podman-args "--user=998:999"
 [Container]
 Image=localhost/imagename
--- a/test/e2e/quadlet/user1.container
+++ b/test/e2e/quadlet/user1.container
@ -0,0 +1,6 @@
 ## assert-podman-final-args localhost/imagename
 ## assert-podman-args "--user=%U:%G"
 [Container]
 Image=localhost/imagename
 User=%U:%G
--- a/test/e2e/quadlet/user2.container
+++ b/test/e2e/quadlet/user2.container
@ -0,0 +1,7 @@
 ## assert-podman-final-args localhost/imagename
 ## assert-podman-args "--user=%U:%G"
 [Container]
 Image=localhost/imagename
 User=%U
 Group=%G