Convert Podman Quadlet deployment from rootful to rootless

Enables Foreman deployment using rootless Podman containers, improving
security by eliminating root privileges for container operations while
maintaining full functionality of the Foreman/Katello stack.

What this achieves:

- Rootless deployment: All containers run without root privileges
- Single service user: Entire stack (foreman, candlepin, postgresql, redis,
  pulp) runs under dedicated foremanctl user
- Migration support: Automated playbook converts existing rootful deployments
- Namespace isolation: Container volumes properly mapped to user namespaces
- Port access: Unprivileged ports configured for HTTP/HTTPS access

New capabilities:

- Fresh deployments use rootless mode by default
- Existing rootful deployments can migrate with automated playbook
- All certificates, data, and configuration preserved during migration
- User lingering enabled for service persistence across reboots

This change modernizes the deployment model to follow container security
best practices while maintaining backward compatibility through the migration
playbook.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: pablomh

development/playbooks/deploy-dev/deploy-dev.yaml

@@ -1,4 +1,14 @@
 ---
+- name: Setup rootless user environment
+  hosts: "{{ target_host if target_host is defined and target_host != '' else 'quadlet' }}"
+  become: true
+  roles:
+    - role: ../../../src/roles/rootless_user
+  tasks:
+    - name: Map rootless_user_xdg_runtime_dir to foremanctl namespace
+      ansible.builtin.set_fact:
+        foremanctl_xdg_runtime_dir: "{{ rootless_user_xdg_runtime_dir }}"
+
 - name: Deploy Foreman Development Environment
   hosts: "{{ target_host if target_host is defined and target_host != '' else 'quadlet' }}"
   become: true

development/playbooks/remote-database/remote-database.yaml

@@ -1,10 +1,22 @@
 ---
+- name: Setup rootless user environment
+  hosts:
+    - database
+  become: true
+  roles:
+    - role: ../../../src/roles/rootless_user
+  tasks:
+    - name: Map rootless_user_xdg_runtime_dir to foremanctl namespace
+      ansible.builtin.set_fact:
+        foremanctl_xdg_runtime_dir: "{{ rootless_user_xdg_runtime_dir }}"
+
 - name: Setup remote database
   hosts:
     - database
   become: true
   vars_files:
     - "../../../src/vars/database.yml"
+    - "../../../src/vars/base.yaml"
   roles:
     - role: pre_install
     - role: postgresql

docs/certificates.md

@@ -42,15 +42,23 @@ foremanctl deploy --certificate-source=installer
 After deployment, certificates are available at:
 
 **Default Source:**
-- CA Certificate: `/root/certificates/certs/ca.crt`
-- Server Certificate: `/root/certificates/certs/<hostname>.crt`
-- Client Certificate: `/root/certificates/certs/<hostname>-client.crt`
+- CA Certificate: `/var/lib/foremanctl/certificates/certs/ca.crt`
+- Server Certificate: `/var/lib/foremanctl/certificates/certs/<hostname>.crt`
+- Client Certificate: `/var/lib/foremanctl/certificates/certs/<hostname>-client.crt`
 
 **Installer Source:**
 - CA Certificate: `/root/ssl-build/katello-default-ca.crt`
 - Server Certificate: `/root/ssl-build/<hostname>/<hostname>-apache.crt`
 - Client Certificate: `/root/ssl-build/<hostname>/<hostname>-foreman-client.crt`
 
+**Note for Rootless Deployments:**
+- Default certificates are owned by `foremanctl:foremanctl` user and group
+- Installer certificates remain in `/root/ssl-build/` but must be readable by foremanctl user:
+  ```bash
+  chgrp -R foremanctl /root/ssl-build
+  chmod -R g+rX /root/ssl-build
+  ```
+
 ### Current Limitations
 
 - Only supports single hostname (no multiple DNS names)
@@ -99,16 +107,18 @@ Certificate paths are defined in source-specific variable files:
 
 **Default Source (`src/vars/default_certificates.yml`):**
 ```yaml
+certificates_ca_directory: /var/lib/foremanctl/certificates
 ca_certificate: "{{ certificates_ca_directory }}/certs/ca.crt"
 server_certificate: "{{ certificates_ca_directory }}/certs/{{ ansible_facts['fqdn'] }}.crt"
 client_certificate: "{{ certificates_ca_directory }}/certs/{{ ansible_facts['fqdn'] }}-client.crt"
 ```
 
 **Installer Source (`src/vars/installer_certificates.yml`):**
 ```yaml
-ca_certificate: "/root/ssl-build/katello-default-ca.crt"
-server_certificate: "/root/ssl-build/{{ ansible_facts['fqdn'] }}/{{ ansible_facts['fqdn'] }}-apache.crt"
-client_certificate: "/root/ssl-build/{{ ansible_facts['fqdn'] }}/{{ ansible_facts['fqdn'] }}-foreman-client.crt"
+certificates_ca_directory: /root/ssl-build
+ca_certificate: "{{ certificates_ca_directory }}/katello-default-ca.crt"
+server_certificate: "{{ certificates_ca_directory }}/{{ ansible_facts['fqdn'] }}/{{ ansible_facts['fqdn'] }}-apache.crt"
+client_certificate: "{{ certificates_ca_directory }}/{{ ansible_facts['fqdn'] }}/{{ ansible_facts['fqdn'] }}-foreman-client.crt"
 ```
 
 #### Integration with Deployment
@@ -138,12 +148,14 @@ The `certificate_checks` role uses `foreman-certificate-check` binary to validat
 
 **Directory Structure:**
 ```
-/root/certificates/
+/var/lib/foremanctl/certificates/
 ├── certs/           # Public certificates
 ├── private/         # Private keys and passwords
 └── requests/        # Certificate signing requests
 ```
 
+All certificate files and directories are owned by `foremanctl:foremanctl` to support rootless Podman deployments.
+
 **OpenSSL Configuration:**
 - Custom configuration template supports SAN extensions
 - Single DNS entry per certificate: `subjectAltName = DNS:{{ certificates_hostname }}`

src/playbooks/deploy/deploy.yaml

@@ -1,5 +1,16 @@
 ---
-- name: Setup quadlet demo machine
+- name: Setup rootless user environment
+  hosts:
+    - quadlet
+  become: true
+  roles:
+    - role: rootless_user
+  tasks:
+    - name: Map rootless_user_xdg_runtime_dir to foremanctl namespace
+      ansible.builtin.set_fact:
+        foremanctl_xdg_runtime_dir: "{{ rootless_user_xdg_runtime_dir }}"
+
+- name: Deploy Foreman services
   hosts:
     - quadlet
   become: true