Run an unpriviledged container within systemd

[Manozco]

Issue Description

Hi everyone!

I'm trying to setup a systemd.socket service listening on a privileged port (80) that will trigger a podman container serving this port.
I'd like the podman container to be run as a standard user.

However specifying the User in the [Service] key of the .container file does not work for systemd.

I'll show first two files that do exactly what I want (except the service is run directly and not in podman):

# /etc/systemd/system/caddy-bin.socket
[Unit]
Description=Caddy HTTP socket

[Socket]
SocketUser=manu
ListenStream=0.0.0.0:80
BindIPv6Only=both

[Install]
WantedBy=sockets.target

and

# /etc/systemd/system/caddy-bin.service 
[Unit]
Description=Caddy Web Server
Documentation=https://caddyserver.com/docs/
Requires=caddy-bin.socket
After=caddy-bin.socket

[Service]
User=manu
ExecStart=/home/manu/devel/new_server/bin/caddy-290b3 run --config /home/manu/devel/new_server/etc/Caddyfile
Restart=on-failure

[Install]
WantedBy=multi-user.target

(If you want to try this you likely need to change the User and the paths to the binary / config files)
(Also for this use case, we need Caddy in version >= 2.9.0-beta3 otherwise there is no support of binding to a file descriptor)

The Caddyfile (It is the same for all the tests in this issue):

{
    auto_https disable_redirects
    admin off
}

http://example.com {
    bind fd/3 {
       protocols h1
    }
    log
    respond "one-bin"
}

You can perform a request by doing curl http://localhost:80 -H 'Host: example.com'
If you run ps aux | grep caddy you'll see that the caddy binary is not ran by root.

What I'm trying to achieve now is to do the same thing for the socket but for the service, use a .container file (located in /etc/containers/systemd/caddy.container) to trigger a podman run of caddy and still being rootless.
Here are the files I'm using for this:

• The Socket file:

# /etc/systemd/system/caddy.socket
[Unit]
Description=Caddy HTTP socket

[Socket]
SocketUser=manu
ListenStream=0.0.0.0:81
BindIPv6Only=both

[Install]
WantedBy=sockets.target

• The container file

/etc/containers/systemd/caddy.container 
[Unit]
Description=Caddy Web Server on Podman
Documentation=https://caddyserver.com/docs/
Requires=caddy.socket
After=caddy.socket

[Service]
User=manu

[Container]
Exec=/usr/bin/caddy run --config /etc/caddy/Caddyfile
Image=docker.io/library/caddy:2.9.0-beta.3
Notify=true
Volume=/home/manu/devel/new_server/etc/Caddyfile:/etc/caddy/Caddyfile:Z

[Install]
WantedBy=multi-user.target

And now when I'm doing curl http://localhost:81 -H 'Host: example.com' I have a permission issue in the caddy.service logs that basically says that caddy is running as the manu inside the container and thus it can't create some files.

So my questions are:

• Is my use case supported ?
• If yes, what am I doing wrong ?

P.S: i'm aware of different ways of lowering privileges for binding on 80 (capabilities, changing the lowest port number for unprivileged users, ..) but I'd like not to use those.

Steps to reproduce the issue

See the description at the beginning

Describe the results you received

See the description at the beginning

Describe the results you expected

See the description at the beginning

podman info output

I'm running podman 4.9.3 on Ubuntu 24.04 LTS

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

No

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[Luap99]

No we recommend using proper systemd user services that are part of the user session. Using User= will not create the proper systemd user sessions and runs in a different environment.

#20573

[eriksjolund]

I tried out running caddy as systemd system service (with systemd directive User=) as an experiment. A quick test worked. For the caddy container I used a service unit instead of a container unit. The caddy container was configured to be an HTTP reverse proxy. Caddy could then proxy requests to a normal systemd user service (whoami) in a custom network.

graph TB

    a1[curl] -.->a2[caddy container reverse proxy]
    a2 -->|"for http://whoami.example.com:80"| a3["whoami container"]

Loading

Files

/etc/systemd/system/caddy.service

[Unit]
Wants=network-online.target
After=network-online.target
[email protected]
[email protected]
RequiresMountsFor=/run/user/1013/containers

[Service]
Delegate=yes
Environment=PODMAN_SYSTEMD_UNIT=%n
ExecStart=/usr/bin/podman run \
     --cidfile=/run/user/1013/%N.cid \
     --cgroups=split \
     --rm \
      --network mynet \
     --replace \
     --name systemd-%N \
     --sdnotify=conmon \
     --volume /home/caddytest1/Caddyfile:/etc/caddy/Caddyfile:Z \
     docker.io/library/caddy:2.9.0-beta.3 /usr/bin/caddy run --config /etc/caddy/Caddyfile
ExecStop=/usr/bin/podman rm -f -i --cidfile=/run/user/1013/%N.cid
ExecStopPost=-/usr/bin/podman rm -f -i --cidfile=/run/user/1013/%N.cid
KillMode=mixed
NotifyAccess=all
PAMName=login
SyslogIdentifier=%N
Type=notify
User=caddytest1

[Install]
WantedBy=multi-user.target

/etc/systemd/system/caddy.socket

[Socket]
ListenStream=0.0.0.0:80

[Install]
WantedBy=sockets.target

/home/caddytest1/.config/containers/systemd/whoami.container

[Container]
ContainerName=whoami.example.com
Image=docker.io/traefik/whoami
Network=mynet.network

/home/caddytest1/.config/containers/systemd/mynet.network

[Network]
NetworkName=mynet

/home/caddytest1/Caddyfile

{
	auto_https disable_redirects
	admin off
}

http://whoami.example.com {
	bind fd/3 {
		protocols h1
	}
	log
	reverse_proxy whoami.example.com:80
}

Test it out

First enable linger for the user caddytest1
Then start the systemd user service whoami.service

Then start the systemd system socket unit caddy.socket

Then download the URL http://whoami.example.com:80 from the caddy container and see that the request is proxied to the container whoami.example.com. Resolve whoami.example.com to 127.0.0.1.

 curl -s --resolve whoami.example.com:80:127.0.0.1 http://whoami.example.com:80

The following output is printed

Hostname: afa147c15f96
IP: 127.0.0.1
IP: ::1
IP: 10.89.1.2
IP: fe80::bcf1:6eff:fef8:db83
RemoteAddr: 10.89.1.4:39702
GET / HTTP/1.1
Host: whoami.example.com
User-Agent: curl/8.10.1
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: whoami.example.com
X-Forwarded-Proto: http

result: The request was proxied by caddy to whoami. It worked.

I also tried sudo systemctl stop caddy.service
The command succeeded.
The running caddy server process was stopped.

About the system:

$ rpm -q systemd
systemd-256.7-1.fc42.aarch64
$ rpm -q podman
podman-5.3.0~rc1-1.fc42.aarch64
$ id caddytest1
uid=1013(caddytest1) gid=1013(caddytest1) groups=1013(caddytest1)
$ cat /proc/sys/net/ipv4/ip_unprivileged_port_start
1024

Side note

I'll probably add this as an example (with status experimental) to
https://github.com/eriksjolund/podman-caddy-socket-activation

[Manozco]

Ok thanks for all the reply.
I'll have a detailed look at the solution proposed by @eriksjolund :)

@Luap99 : I did not want to use the systemd user services because they don't allow me to bind on a port < 1024 by default

[eriksjolund]

There is also another alternative solution that uses nsenter
eriksjolund/podman-caddy-socket-activation#22
(I did some small last minute changes to that PR so I'm not 100% sure that it works in its current state)

[eriksjolund]

A tip, in #24690 (comment) you wrote

[Socket]
SocketUser=manu
ListenStream=0.0.0.0:81
BindIPv6Only=both

The line

SocketUser=manu

has no effect here because you specify a TCP socket (ListenStream=0.0.0.0:81)
For details, see
https://www.freedesktop.org/software/systemd/man/latest/systemd.socket.html#SocketUser=