I'd posted in a thread with @mheon  asking if there was a convention that the podman (or systemd) community would recommend for accessing user accounts that are "daemonized" (e.g. `loginctl enable-linger <user>`). The state of the user for deployment is something like: ``` $ mkdir /containers $ semanage fcontext -a -e /home /containers $ restorecon -vR /containers $ groupadd -g 2000 hedgedoc $ useradd -g 2000 -u 2000 -d /containers/hedgedoc -s /sbin/nologin hedgedoc $ usermod --add-subuids 200000000-200065535 --add-subgids 200000000- 200065535 hedgedoc $ loginctl enable-linger hedgedoc ``` There is a more opinionated longer write up here . Something that I've not been doing is setting a shell and providing access to the user via ssh. This may be weird, but one of the thinks was that by not having a shell, running rootless-as-non-root, the application is pretty isolated. From what we can gather there are a couple options: ## runuser Seems like the most reasonable option, as root or sudo you: $ runuser -ls /bin/bash hedgedoc This will log you in, set the shell to bash, and set your working directory to the users home directory. You can then use the shell to interact with the user slice, invoke podman, invoke podman generate, and daemonize pods/containers. ## su $ su -s /bin/bash hedgedoc This will log you in, set the shell to bash. However doesn't change home directory. Works similar to above, but seems like runuser has more niceness to the experience. ## machinectl This is a bit more weird, but potentially is what systemd _wants_ people to do: $ systemctl --user --machine=hedgedoc@.host <things> This would allow you to interact with user units, you could drop them in place with ansible/pyinfra and then use this `--machine` invocation to examine the state of the unit. - Is this something the podman folks are thinking about, mheon seems to reference it but it was very hard to figure out how to actually invoke. - Is there a way to obtian a shell with this method? Was generally curious to see if anyone would offer opinions on how they are using user slice deployments. I've been watching quadlet  with interest as well.
I would think the machinectl one is the correct way to handle this since it will setup the account in the
same way as if hedgedoc account was logged into via ssh or
: https://github.com/containers/podman/issues/5858#issuecomment-994201667 : https://homelab.dunn.dev/docs/server/containers/ : https://github.com/containers/quadlet
_______________________________________________ Podman mailing list -- firstname.lastname@example.org To unsubscribe send an email to email@example.com