Allow systemd specifiers in User and Group Quadlet keys

Replaces: https://github.com/containers/podman/pull/18262 Signed-off-by: Tom Mombourquette <tom@devnode.com> Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2025-06-20 09:03:43 +08:00 · 2023-10-18 06:08:28 -04:00
parent ef2392f21c
commit 285718915c
5 changed files with 46 additions and 13 deletions
--- a/pkg/systemd/quadlet/quadlet.go
+++ b/pkg/systemd/quadlet/quadlet.go
@ -615,18 +615,8 @@ func ConvertContainer(container *parser.UnitFile, names map[string]string, isUse
 		podman.add("--read-only-tmpfs=false")
 	}

-	hasUser := container.HasKey(ContainerGroup, KeyUser)
-	hasGroup := container.HasKey(ContainerGroup, KeyGroup)
-	if hasUser || hasGroup {
-		uid := container.LookupUint32(ContainerGroup, KeyUser, 0)
-		gid := container.LookupUint32(ContainerGroup, KeyGroup, 0)
-
-		podman.add("--user")
-		if hasGroup {
-			podman.addf("%d:%d", uid, gid)
-		} else {
-			podman.addf("%d", uid)
-		}
+	if err := handleUser(container, ContainerGroup, podman); err != nil {
+		return nil, err
 	}

 	if workdir, exists := container.Lookup(ContainerGroup, KeyWorkingDir); exists {
@ -1225,6 +1215,30 @@ func ConvertImage(image *parser.UnitFile) (*parser.UnitFile, string, error) {
 	return service, imageName, nil
 }

+func handleUser(unitFile *parser.UnitFile, groupName string, podman *PodmanCmdline) error {
+	user, hasUser := unitFile.Lookup(groupName, KeyUser)
+	okUser := hasUser && len(user) > 0
+
+	group, hasGroup := unitFile.Lookup(groupName, KeyGroup)
+	okGroup := hasGroup && len(group) > 0
+
+	if !okUser {
+		if okGroup {
+			return fmt.Errorf("invalid Group set without User")
+		}
+		return nil
+	}
+
+	if !okGroup {
+		podman.add("--user", user)
+		return nil
+	}
+
+	podman.addf("--user=%s:%s", user, group)
+
+	return nil
+}
+
 func handleUserRemap(unitFile *parser.UnitFile, groupName string, podman *PodmanCmdline, isUser, supportManual bool) error {
 	// ignore Remap keys if UserNS is set
 	if userns, ok := unitFile.Lookup(groupName, KeyUserNS); ok && len(userns) > 0 {
--- a/test/e2e/quadlet/group.container
+++ b/test/e2e/quadlet/group.container
@ -0,0 +1,6 @@
+## assert-failed
+## assert-stderr-contains "Group set without User"
+
+[Container]
+Image=localhost/imagename
+Group=foobar
--- a/test/e2e/quadlet/user.container
+++ b/test/e2e/quadlet/user.container
@ -1,5 +1,5 @@
 ## assert-podman-final-args localhost/imagename
-## assert-podman-args "--user" "998:999"
+## assert-podman-args "--user=998:999"

 [Container]
 Image=localhost/imagename
--- a/test/e2e/quadlet/user1.container
+++ b/test/e2e/quadlet/user1.container
@ -0,0 +1,6 @@
+## assert-podman-final-args localhost/imagename
+## assert-podman-args "--user=%U:%G"
+
+[Container]
+Image=localhost/imagename
+User=%U:%G
--- a/test/e2e/quadlet/user2.container
+++ b/test/e2e/quadlet/user2.container
@ -0,0 +1,7 @@
+## assert-podman-final-args localhost/imagename
+## assert-podman-args "--user=%U:%G"
+
+[Container]
+Image=localhost/imagename
+User=%U
+Group=%G