support rootless healthchecks

Signed-off-by: Arjun Raja Yogidas <[email protected]>

Author: coderbirju

pkg/healthcheck/healthcheck_manager_linux.go

@@ -22,6 +22,7 @@ import (
 	"math/rand"
 	"os"
 	"os/exec"
+	"strconv"
 	"strings"
 	"time"
 
@@ -50,6 +51,10 @@ func CreateTimer(ctx context.Context, container containerd.Container) error {
 	log.G(ctx).Debugf("Creating healthcheck timer unit: %s", hcName)
 
 	cmd := []string{}
+	if rootlessutil.IsRootless() {
+		cmd = append(cmd, fmt.Sprintf("--uid=%d", rootlessutil.ParentEUID()))
+	}
+
 	if path := os.Getenv("PATH"); path != "" {
 		cmd = append(cmd, "--setenv=PATH="+path)
 	}
@@ -300,14 +305,30 @@ func shouldSkipHealthCheckSystemd(hc *Healthcheck) bool {
 		return true
 	}
 
-	// Skip healthchecks in rootless environments to avoid systemd DBUS permission issues
-	if rootlessutil.IsRootless() {
-		return true
-	}
+	// // Skip healthchecks in rootless environments to avoid systemd DBUS permission issues
+	// if rootlessutil.IsRootless() {
+	// 	return true
+	// }
 
 	// Don't proceed if health check is nil, empty, explicitly NONE or interval is 0.
 	if hc == nil || len(hc.Test) == 0 || hc.Test[0] == "NONE" || hc.Interval == 0 {
 		return true
 	}
 	return false
 }
+
+// GetEffectiveUID returns the effective user ID as a string, handling UserNS correctly.
+// In rootless environments with User Namespaces, os.Geteuid() may return the mapped UID
+// inside the namespace rather than the real host UID. This function prioritizes
+// ROOTLESSKIT_PARENT_EUID when available to get the real host UID.
+// func GetEffectiveUID(ctx context.Context) string {
+// 	if parentEuid, ok := os.LookupEnv("ROOTLESSKIT_PARENT_EUID"); ok {
+// 		// Validate it's a valid number (following XDGRuntimeDir pattern)
+// 		if _, err := strconv.Atoi(parentEuid); err != nil {
+// 			log.G(ctx).Warnf("invalid ROOTLESSKIT_PARENT_EUID: %v, falling back to current euid", err)
+// 			return strconv.Itoa(os.Geteuid())
+// 		}
+// 		return parentEuid
+// 	}
+// 	return strconv.Itoa(os.Geteuid())
+}