Unverified Commit b61927e5 authored by Maximilian Bosch's avatar Maximilian Bosch
Browse files

nixos/podman: fix starting unprivileged containers with sdnotify=conmon 

Closes #410857

Back when I researched the correct combinations of settings, containers
would hang indefinitely with `--sdnotify=conmon` when using lingering
and Delegate=yes.

Apparently, this changed now this is needed to get these containers to
start.
parent 52a3852d

nixos/modules/virtualisation/oci-containers.nix

+4 −8
Original line number Diff line number Diff line
@@ -542,7 +542,7 @@ let 
        Environment = "PODMAN_SYSTEMD_UNIT=%n";

        Type = "notify";

        NotifyAccess = "all";

        Delegate = mkIf (container.podman.sdnotify == "healthy") true;

        Delegate = true;

        User = effectiveUser;

        RuntimeDirectory = escapedName;

      };
@@ -630,13 +630,9 @@ in 
              inherit (config.users.users.${podman.user}) linger;

            in

            warnings

            ++ lib.optional (podman.user != "root" && linger && podman.sdnotify == "conmon") ''

              Podman container ${name} is configured as rootless (user ${podman.user})

              with `--sdnotify=conmon`, but lingering for this user is turned on.

            ''

            ++ lib.optional (podman.user != "root" && !linger && podman.sdnotify == "healthy") ''

              Podman container ${name} is configured as rootless (user ${podman.user})

              with `--sdnotify=healthy`, but lingering for this user is turned off.

            ++ lib.optional (podman.user != "root" && !linger) ''

              Podman container ${name} is configured as rootless (user ${podman.user}),

              but lingering for this user is turned off.

            ''

          ) [ ] cfg.containers

        );

nixos/tests/oci-containers.nix

+1 −1
Original line number Diff line number Diff line
@@ -84,7 +84,7 @@ let 
              isSystemUser = true;

              group = "redis";

              home = "/var/lib/redis";

              linger = type == "healthy";

              linger = true;

              createHome = true;

              uid = 2342;

              subUidRanges = [