Hi,

I have been trying to get podman to work with systemd.

I have a pod with 4 containers inside, along with the pause container, and I have generated systemd unit files using the command 'podman generate systemd --files'.

If  I place the generated files into the /etc/systemd/user/ directory, then they run as expected, using the 'systemctl --user enable --now' command. 

If I place them into the /etc/systemd/system directory they do not run.  This is as I expected, since the files are all in the standard user's home directory, as are the volume mounts.

However, although I want them to run in the context of a standard user, I am concerned that if some hacker breaks out into my system then because the command to stop and start systemd unit user files will be available to them, then they can stop the running pod as a standard user, and my server and django site will be down.   It's as simple as 'systemctl --user stop pod-xxx.service.

I discussed the issue briefly with velix on the irc podman chat, he suggested I use system groups.  However, no matter how I configure my pod and container unit files, and whether or not I use 'loginctl enable-linger' I cannot get the pod to start.

I have read that it is possible to start podman-containers having placed the unit files inside the /etc/systemd/system directory, which would mean that any command to stop the pod would be followed by the systemd bringing them back up, and the systemctl command to manipulate the pod wouldn't be available to the standard user.

So, what is the most secure way of starting the containers, in such a way, if possible, that should some influence gain unprivileged access, they cannot stop the pod.

MTIA

James

--