Return to Answer

Add requirement on socket activation

Source Link

edited Nov 21, 2023 at 13:05

Rootless Podman in a User= systemd service can start the nginx container with socket activation using a privileged port.

Create the user test if it does not yet exist.
```
$ sudo useradd test
```
Check the UID of the user test
```
$ id -u test
1000
```

Create the file /etc/systemd/system/example3.service with the contents

[Unit]
Wants=network-online.target
After=network-online.target
[email protected]
[email protected]
RequiresMountsFor=/run/user/1000/containers

[Service]
User=test
Environment=PODMAN_SYSTEMD_UNIT=%n
KillMode=mixed
ExecStop=/usr/bin/podman rm -f -i --cidfile=/run/user/1000/%N.cid
ExecStopPost=-/usr/bin/podman rm -f -i --cidfile=/run/user/1000/%N.cid
Delegate=yes
Type=notify
NotifyAccess=all
SyslogIdentifier=%N
ExecStart=/usr/bin/podman run \
     --cidfile=/run/user/1000/%N.cid \
     --cgroups=split \
     --rm \
     --env "NGINX=3;" \
      -d \
     --replace \
     --name systemd-%N \
     --sdnotify=conmon \
     docker.io/library/nginx

(To adjust the file for your system, replace 1000 with the UID found in step 2)

Optional step for improved security: Edit the file /etc/systemd/system/example3.service and add the option --network none to the podman run command. For details, see section Possibility to restrict the network in the container

Create the file /etc/systemd/system/example3.socket with the contents

[Unit]
Description=Example 3 socket

[Socket]
ListenStream=0.0.0.0:80

[Install]
WantedBy=sockets.target

Reload the systemd configuration
```
$ sudo systemctl daemon-reload
```
Start the socket
```
$ sudo systemctl start example3.socket
```

Test the web server

$ curl localhost:80 | head -4
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>

Note that the method used in this example requires that the container image supports socket activation. For example docker.io/library/mariadb and docker.io/library/nginx support socket activation but many other container images do not support socket activation.

The steps above are from a demo I wrote: https://github.com/eriksjolund/podman-nginx-socket-activation/tree/main/examples/example3

I have just tried this out so I still need to figure out how well this solution works.

There is a Podman feature request for adding Podman support for User= in systemd system services. The feature request was moved into a GitHub discussion.

Rootless Podman in a User= systemd service can start the nginx container with socket activation using a privileged port.

Create the user test if it does not yet exist.
```
$ sudo useradd test
```
Check the UID of the user test
```
$ id -u test
1000
```

Create the file /etc/systemd/system/example3.service with the contents

[Unit]
Wants=network-online.target
After=network-online.target
[email protected]
[email protected]
RequiresMountsFor=/run/user/1000/containers

[Service]
User=test
Environment=PODMAN_SYSTEMD_UNIT=%n
KillMode=mixed
ExecStop=/usr/bin/podman rm -f -i --cidfile=/run/user/1000/%N.cid
ExecStopPost=-/usr/bin/podman rm -f -i --cidfile=/run/user/1000/%N.cid
Delegate=yes
Type=notify
NotifyAccess=all
SyslogIdentifier=%N
ExecStart=/usr/bin/podman run \
     --cidfile=/run/user/1000/%N.cid \
     --cgroups=split \
     --rm \
     --env "NGINX=3;" \
      -d \
     --replace \
     --name systemd-%N \
     --sdnotify=conmon \
     docker.io/library/nginx

(To adjust the file for your system, replace 1000 with the UID found in step 2)

Optional step for improved security: Edit the file /etc/systemd/system/example3.service and add the option --network none to the podman run command. For details, see section Possibility to restrict the network in the container

Create the file /etc/systemd/system/example3.socket with the contents

[Unit]
Description=Example 3 socket

[Socket]
ListenStream=0.0.0.0:80

[Install]
WantedBy=sockets.target

Reload the systemd configuration
```
$ sudo systemctl daemon-reload
```
Start the socket
```
$ sudo systemctl start example3.socket
```

Test the web server

$ curl localhost:80 | head -4
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>

The steps above are from a demo I wrote: https://github.com/eriksjolund/podman-nginx-socket-activation/tree/main/examples/example3

I have just tried this out so I still need to figure out how well this solution works.

There is a Podman feature request for adding Podman support for User= in systemd system services. The feature request was moved into a GitHub discussion.

Rootless Podman in a User= systemd service can start the nginx container with socket activation using a privileged port.

Create the user test if it does not yet exist.
```
$ sudo useradd test
```
Check the UID of the user test
```
$ id -u test
1000
```

Create the file /etc/systemd/system/example3.service with the contents

[Unit]
Wants=network-online.target
After=network-online.target
[email protected]
[email protected]
RequiresMountsFor=/run/user/1000/containers

[Service]
User=test
Environment=PODMAN_SYSTEMD_UNIT=%n
KillMode=mixed
ExecStop=/usr/bin/podman rm -f -i --cidfile=/run/user/1000/%N.cid
ExecStopPost=-/usr/bin/podman rm -f -i --cidfile=/run/user/1000/%N.cid
Delegate=yes
Type=notify
NotifyAccess=all
SyslogIdentifier=%N
ExecStart=/usr/bin/podman run \
     --cidfile=/run/user/1000/%N.cid \
     --cgroups=split \
     --rm \
     --env "NGINX=3;" \
      -d \
     --replace \
     --name systemd-%N \
     --sdnotify=conmon \
     docker.io/library/nginx

(To adjust the file for your system, replace 1000 with the UID found in step 2)

Optional step for improved security: Edit the file /etc/systemd/system/example3.service and add the option --network none to the podman run command. For details, see section Possibility to restrict the network in the container

Create the file /etc/systemd/system/example3.socket with the contents

[Unit]
Description=Example 3 socket

[Socket]
ListenStream=0.0.0.0:80

[Install]
WantedBy=sockets.target

Reload the systemd configuration
```
$ sudo systemctl daemon-reload
```
Start the socket
```
$ sudo systemctl start example3.socket
```

Test the web server

$ curl localhost:80 | head -4
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>

The steps above are from a demo I wrote: https://github.com/eriksjolund/podman-nginx-socket-activation/tree/main/examples/example3

I have just tried this out so I still need to figure out how well this solution works.

There is a Podman feature request for adding Podman support for User= in systemd system services. The feature request was moved into a GitHub discussion.

Source Link

answered Nov 21, 2023 at 12:53

Erik Sjölund

Rootless Podman in a User= systemd service can start the nginx container with socket activation using a privileged port.

Create the user test if it does not yet exist.
```
$ sudo useradd test
```
Check the UID of the user test
```
$ id -u test
1000
```

Create the file /etc/systemd/system/example3.service with the contents

[Unit]
Wants=network-online.target
After=network-online.target
[email protected]
[email protected]
RequiresMountsFor=/run/user/1000/containers

[Service]
User=test
Environment=PODMAN_SYSTEMD_UNIT=%n
KillMode=mixed
ExecStop=/usr/bin/podman rm -f -i --cidfile=/run/user/1000/%N.cid
ExecStopPost=-/usr/bin/podman rm -f -i --cidfile=/run/user/1000/%N.cid
Delegate=yes
Type=notify
NotifyAccess=all
SyslogIdentifier=%N
ExecStart=/usr/bin/podman run \
     --cidfile=/run/user/1000/%N.cid \
     --cgroups=split \
     --rm \
     --env "NGINX=3;" \
      -d \
     --replace \
     --name systemd-%N \
     --sdnotify=conmon \
     docker.io/library/nginx

(To adjust the file for your system, replace 1000 with the UID found in step 2)

Optional step for improved security: Edit the file /etc/systemd/system/example3.service and add the option --network none to the podman run command. For details, see section Possibility to restrict the network in the container

Create the file /etc/systemd/system/example3.socket with the contents

[Unit]
Description=Example 3 socket

[Socket]
ListenStream=0.0.0.0:80

[Install]
WantedBy=sockets.target

Reload the systemd configuration
```
$ sudo systemctl daemon-reload
```
Start the socket
```
$ sudo systemctl start example3.socket
```

Test the web server

$ curl localhost:80 | head -4
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>

The steps above are from a demo I wrote: https://github.com/eriksjolund/podman-nginx-socket-activation/tree/main/examples/example3

I have just tried this out so I still need to figure out how well this solution works.

There is a Podman feature request for adding Podman support for User= in systemd system services. The feature request was moved into a GitHub discussion.