opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-05-22 01:27:07 +08:00
Code Issues Packages Projects Releases Wiki Activity

quadlet: ensure user units wait for the network

Browse Source 
As documented in the issue there is no way to wait for system units from
the user session[1]. This causes problems for rootless quadlet units as
they might be started before the network is fully up. TWhile this was
always the case and thus was never really noticed the main thing that
trigger a bunch of errors was the switch to pasta.

Pasta requires the network to be fully up in order to correctly select
the right "template" interface based on the routes. If it cannot find a
suitable interface it just fails and we cannot start the container
understandingly leading to a lot of frustration from users.

As there is no sign of any movement on the systemd issue we work around
here by using our own user unit that check if the system session
network-online.target it ready.

Now for testing it is a bit complicated. While we do now correctly test
the root and rootless generator since commit ada75c0bb8 the resulting
Wants/After= lines differ between them and there is no logic in the
testfiles themself to say if root/rootless to match specifics. One idea
was to use `assert-key-is-rootless/root` but that seemed like more
duplication for little reason so use a regex and allow both to make it
pass always. To still have some test coverage add a check in the system
test to ask systemd if we did indeed have the right depdendencies where
we can check for exact root/rootless name match.

[1] https://github.com/systemd/systemd/issues/3312

Fixes #22197

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This commit is contained in:
Paul Holzinger
2024-10-17 14:40:18 +02:00
parent 203ab6573b
commit 57b022782b
18 changed files with 66 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
docs/source/markdown/podman-systemd.unit.5.md
View File

@ -238,9 +238,14 @@ that limit the output to only the units you are debugging.
### Implicit network dependencies
In the case of Container, Image and Build units, Quadlet will add dependencies on the `network-online.target`
by adding `After=` and `Wants=` properties to the unit. This is to ensure that the network is reachable if
an image needs to be pulled.
In the case of Container, Image and Build units, Quadlet will add dependencies on the `network-online.target` (as root)
or `podman-user-wait-network-online.service` (as user) by adding `After=` and `Wants=` properties to the unit.
This is to ensure that the network is reachable if an image needs to be pulled and by the time the container is started.
The special case `podman-user-wait-network-online.service` unit is needed as user because user units are unable to wait
for system (root) units so `network-online.target` doesn't do anything there and is instead ignored. As this caused
a significant amount of issues we decided to work around this with our own special purpose unit that simply checks if
the `network-online.target` unit is active with `systemctl is-active network-online.target`.
This behavior can be disabled by adding `DefaultDependencies=false` in the `Quadlet` section.
@ -1791,10 +1796,10 @@ exists on the host, pulling it if needed.
Using image units allows containers and volumes to depend on images being automatically pulled. This is
particularly interesting when using special options to control image pulls.
Note: The generated service have a dependency on `network-online.target` assuring the network is reachable if
an image needs to be pulled.
If the image service needs to run without available network (e.g. early in boot), the requirement can be
overridden simply by adding an empty `After=` in the unit file. This will unset all previously set After's.
Note: The generated service have a dependency on `network-online.target` or
`podman-user-wait-network-online.service` assuring the network is reachable if an image needs to be pulled.
If the image service needs to run without available network (e.g. early in boot), this behavior
can be disabled by adding `DefaultDependencies=false` in the `Quadlet` section.
Valid options for `[Image]` are listed below:
@ -1936,7 +1941,8 @@ Valid options for `[Quadlet]` are listed below:
Add Quadlet's default network dependencies to the unit (default is `true`).
When set to false, Quadlet will **not** add a dependency (After=, Wants=) to `network-online.target` to the generated unit.
When set to false, Quadlet will **not** add a dependency (After=, Wants=) to
`network-online.target`/`podman-user-wait-network-online.service` to the generated unit.
## EXAMPLES