Is there a need for an official systemd unit podman-usernamespace.service?

[eriksjolund]

I sometimes need an extra systemd user service that is only responsible for the pause process (catatonit).

When I have a systemd user service that is more restricted (e.g. restricted with NoNewPrivileges=yes),
a Podman process in such a service would not be able to execute /usr/bin/newuidmap and /usr/bin/newgidmap with the extra capabilities those executables have:

$ getcap /usr/bin/newuidmap 
/usr/bin/newuidmap cap_setuid=ep
$ getcap /usr/bin/newgidmap
/usr/bin/newgidmap cap_setgid=ep
$ 

Unless the Podman user namespace has already been set up, such a systemd user service would fail.

Here is an example where a Podman command first fails, but after running podman unshare /bin/true, the same Podman command starts to work:

On a Fedora 38 machine

[root@fedora ~]# useradd test
[root@fedora ~]# machinectl shell test@
Connected to the local host. Press ^] three times within 1s to exit session.
[test@fedora ~]$ systemd-run --quiet --user --collect --pipe --wait --property=NoNewPrivileges=yes podman run -q --rm docker.io/library/alpine echo success
ERRO[0000] running `/usr/bin/newuidmap 4745 0 50187 1 1 62813730 1000000`: newuidmap: write to uid_map failed: Operation not permitted 
Error: cannot set up namespace using "/usr/bin/newuidmap": exit status 1
[test@fedora ~]$ podman unshare /bin/true
[test@fedora ~]$ systemd-run --quiet --user --collect --pipe --wait --property=NoNewPrivileges=yes podman run -q --rm docker.io/library/alpine echo success
success
[test@fedora ~]$ 

Running /usr/bin/newuidmap and /usr/bin/newgidmap is only needed when the
Podman user namespace is set up. Setting it up just needs to be done once after a reboot.
For example the command podman unshare /bin/true sets up the Podman user namespace.

Do you have any recommendations of how such a systemd user service should look like?
Is podman unshare /bin/true a good command to use?

In the blog post
https://www.redhat.com/sysadmin/podman-systemd-limit-access
I used:

[Unit]
Description=podman-usernamespace.service

[Service]
Type=oneshot
Restart=on-failure
TimeoutStopSec=70
ExecStart=/usr/bin/podman unshare /bin/true
RemainAfterExit=yes

I think that the podman RPM package could include a podman-usernamespace.service unit so that
there is an official way to start the podman user namespace. Such a service could be added as a dependency
when creating container units or service units. I'm not sure if podman generate systemd and quadlet should add such a dependency by default.

Do you think there is a need for an official systemd unit podman-usernamespace.service?

Side note 1: Currently the podman RPM package includes these units:

[test@fedora ~]$ rpm -ql podman | grep /usr/lib/systemd
/usr/lib/systemd/system-generators/podman-system-generator
/usr/lib/systemd/system/podman-auto-update.service
/usr/lib/systemd/system/podman-auto-update.timer
/usr/lib/systemd/system/podman-clean-transient.service
/usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/podman-restart.service
/usr/lib/systemd/system/podman.service
/usr/lib/systemd/system/podman.socket
/usr/lib/systemd/user-generators/podman-user-generator
/usr/lib/systemd/user/podman-auto-update.service
/usr/lib/systemd/user/podman-auto-update.timer
/usr/lib/systemd/user/[email protected]
/usr/lib/systemd/user/podman-restart.service
/usr/lib/systemd/user/podman.service
/usr/lib/systemd/user/podman.socket
[test@fedora ~]$ 

Side note 2: conmon-rs might also have a need for podman-usernamespace.service

• Consider using systemd for pause PID conmon-rs#1041

[rhatdan]

Why not run the container with nonewprivs instead of Podman?

[eriksjolund]

Why not run the container with nonewprivs instead of Podman?

I would like to run programs with as a little privilege as possible. The less privilege a program has, the less damage would a compromise of the program have.

There are some systemd directives that imply NoNewPrivileges=yes, for example

RestrictAddressFamilies=AF_UNIX AF_NETLINK

which could be good to use when using socket activation.

[rhatdan]

Not sure if this breaks certain podman commands as well
podman system migrate for example.

Does podman run --uidmap ... type commands continue to work?

[eriksjolund]

podman system migrate should not happen often. Maybe podman system migrate could stop
podman-usernamespace.service before migrating? (I don't know how podman system migrate works)

Does podman run --uidmap ... type commands continue to work?

I think so. I did some tests on Fedora CoreOS 38.20230722.1.0

test 1

1. Create user test1

   sudo useradd test1
   

2. Open a shell

   sudo machinectl shell test1@
   

3. Create directory

   mkdir -p ~/.config/containers/systemd
   

4. Create the file ~/.config/containers/systemd/mariadb.container
   with this file contents

   [Service]
   NoNewPrivileges=yes
   
   [Container]
   Image=docker.io/library/mariadb
   Environment=MYSQL_ROOT_PASSWORD=root
   User=mysql
   UserNS=keep-id:uid=999,gid=999
   Volume=/home/test1/data:/var/lib/mysql:Z
   

5. systemd --user daemon-reload
6. podman unshare /bin/true
7. systemctl --user start mariadb.service
8. Check the result

   $ systemctl --user is-active mariadb.service
   active
   $ ls -l ~/data
   total 170112
   -rw-rw----. 1 test1 test1  16875520 Jul 26 16:36 aria_log.00000001
   -rw-rw----. 1 test1 test1        52 Jul 26 16:36 aria_log_control
   -rw-rw----. 1 test1 test1         9 Jul 27 10:07 ddl_recovery.log
   -rw-rw----. 1 test1 test1       718 Jul 26 16:36 ib_buffer_pool
   -rw-rw----. 1 test1 test1 100663296 Jul 26 16:36 ib_logfile0
   -rw-rw----. 1 test1 test1  12582912 Jul 26 16:36 ibdata1
   -rw-rw----. 1 test1 test1  12582912 Jul 27 10:07 ibtmp1
   -rw-r--r--. 1 test1 test1        14 Jul 26 10:11 mariadb_upgrade_info
   -rw-rw----. 1 test1 test1         0 Jul 26 10:11 multi-master.info
   drwx------. 2 test1 test1      4096 Jul 26 10:11 mysql
   drwx------. 2 test1 test1        20 Jul 26 10:11 performance_schema
   drwx------. 2 test1 test1      8192 Jul 26 10:11 sys
   -rw-rw----. 1 test1 test1  10485760 Jul 26 16:36 undo001
   -rw-rw----. 1 test1 test1  10485760 Jul 26 16:36 undo002
   -rw-rw----. 1 test1 test1  10485760 Jul 26 16:36 undo003
   

test2

I tried replacing

   UserNS=keep-id:uid=999,gid=999

with

   UserNS=keep-id:uid=998,gid=998

That also worked. The mariadb data files then had a ownership of one of the subuids and subgids.

test 3

I tried skipping this step

6. podman unshare /bin/true

It then fails