Search code examples
linuxpodmansystemctl

Creating a miminal podman system service


I'm trying to create a minimal podman system service (on Rocky Linux 9.4).

What I did

This is my service unit (/etc/systemd/system/echo.service):

[Unit]
Description=Test Echo service
After=network.target

[Service]
User=<local user>
ExecStart=/usr/bin/podman run -t --name echo-podman alpine:latest sh -c "while true; do echo 'Hello, World!'; sleep 1; done"
ExecStop=/usr/bin/podman stop echo-podman -t 10
ExecStopPost=/usr/bin/podman rm -f echo-podman
TimeoutStartSec=0
Restart=on-failure
StartLimitBurst=3
RestartSec=10s

[Install]
WantedBy=multi-user.target

I've started the service with

sudo systemctl enable echo
sudo systemctl start echo

The problem

  1. Apparantly the service runs fine, but no output is captured by journald.
  2. Restarting the service takes some 10 seconds. It seems that podman stop will not interrupt the loop.
sudo journalctl -u echo -f
Sep 03 09:50:56 <host> systemd[1]: Started Test Echo service.
<Output missing here>
Sep 03 09:51:31 <host> systemd[1]: Stopping Test Echo service...
Sep 03 09:51:41 <host> systemd[1]: echo.service: Main process exited, code=exited, status=143/n/a
Sep 03 09:51:41 <host> systemd[1]: echo.service: Failed with result 'exit-code'.
Sep 03 09:51:41 <host> systemd[1]: Stopped Test Echo service.

How can I resolve this? I can fix the output issue by removing User=<local user>, but I don't want to run the service as a privileged user.


Solution

  • User= will cause systemd to run podman as that user and subsequently not show the logs in that unit as its output is not attached. You can still see logs from podman as user podman logs podman-echo or via the user journal journalctl --user.

    If running jobs as non-root it's probably better run it as a proper user unit:

    • Remove the User keyword
    • Put the unit in /etc/systemd/user or $HOME/.config/systemd/user
    • Start and enable with systemctl --user enable --now echo (as <user>).
    • Turn on lingering (sudo loginctl enable-linger <user>) to keep jobs running when <user> logs out.

    The stopping issue is expected. podman stop sends SIGTERM and waits for timeout (default 10 sec) and proceeds to send SIGKILL.
    There are a few solutions:

    • You can build a command that catches the TERM signal which ash doesn't do in this case.
      You can accomplish this by setting a trap on TERM that then exits but it's a bit much for a oneliner.
    • Remove podmans timeout ExecStop=/usr/bin/podman stop echo-podman -t 0
    • Set --stop-signal=SIGKILL on ExecStart
    • Use an init system in the container to pass signals podman run --init ...

    You can also check out the quadlet syntax and put a container unit-file in $HOME/.config/containers/systemd.

    Most of the stuff you're trying to do the podman systemd generator already does. It's built into podman man podman-generate-systemd but deprecated in favor of quadlets.