On 12/20/21 22:08, Andrew G. Dunn wrote:

I'd posted in a thread with @mheon [0] asking if there was a convention
that the podman (or systemd) community would recommend for accessing
user accounts that are "daemonized" (e.g. `loginctl enable-linger
<user>`). 

The state of the user for deployment is something like:

```
$ mkdir /containers

$ semanage fcontext -a -e /home /containers

$ restorecon -vR /containers

$ groupadd -g 2000 hedgedoc

$ useradd -g 2000 -u 2000 -d /containers/hedgedoc -s /sbin/nologin
hedgedoc

$ usermod --add-subuids 200000000-200065535 --add-subgids 200000000-
200065535 hedgedoc

$ loginctl enable-linger hedgedoc
```

There is a more opinionated longer write up here [1]. Something that
I've not been doing is setting a shell and providing access to the user
via ssh. This may be weird, but one of the thinks was that by not
having a shell, running rootless-as-non-root, the application is pretty
isolated.


From what we can gather there are a couple options:

## runuser

Seems like the most reasonable option, as root or sudo you:

$ runuser -ls /bin/bash hedgedoc

This will log you in, set the shell to bash, and set your working
directory to the users home directory. You can then use the shell to
interact with the user slice, invoke podman, invoke podman generate,
and daemonize pods/containers.

## su

$ su -s /bin/bash hedgedoc

This will log you in, set the shell to bash. However doesn't change
home directory. Works similar to above, but seems like runuser has more
niceness to the experience.

## machinectl

This is a bit more weird, but potentially is what systemd _wants_
people to do:

$ systemctl --user --machine=hedgedoc@.host <things>

This would allow you to interact with user units, you could drop them
in place with ansible/pyinfra and then use this `--machine` invocation
to examine the state of the unit.

 - Is this something the podman folks are thinking about, mheon seems
to reference it but it was very hard to figure out how to actually
invoke.

 - Is there a way to obtian a shell with this method?

Was generally curious to see if anyone would offer opinions on how they
are using user slice deployments. I've been watching quadlet [2] with
interest as well.

I would think the machinectl one is the correct way to handle this since it will setup the account in the

same way as if hedgedoc account was logged into via ssh or /bin/login.

[0]:
https://github.com/containers/podman/issues/5858#issuecomment-994201667
[1]: https://homelab.dunn.dev/docs/server/containers/
[2]: https://github.com/containers/quadlet

_______________________________________________
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io