Documentation clarification for RHEL and support of "su" for rootless pods

[MrPippin66]

My apologies, but I'm battling RH support.

Can you say if this statement from Red Hat is wrong in saying that using "su" to access an account to run rootless pods is not supported?

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/building_running_and_managing_containers/index#proc_setting-up-rootless-containers_assembly_starting-with-containers

--

1.4. Setting up rootless containers

4. Connect to the user:

NOTE
Do not use su or su - commands because these commands do not set the correct environment variables. Use your Red Hat Customer Portal credentials.

--

Thanks

[rhatdan]

The issue is Podman expects the user environment to be fully setup. We have had lots of issues when XDG_RUNTIME_DIR and DBUS_SESSION_BUS_ADDRESS environment variables are not set correctly.

sudo -l
su -l

Should work better.

[MrPippin66]

Actually, that didn't work in my case, but not for reasons owned by podman.

Still working this, but appears to be caused by an issue introduced in pam_systemd, and were reverted to fix. I'm thinking RHEL hasn't included this, yet.

systemd/systemd#11327

Comment for this addition in the code:

/* We need to export $DBUS_SESSION_BUS_ADDRESS because various applications will not connect * correctly to the bus without it. This setting matches what dbus.socket does for the user * session using 'systemctl --user set-environment'. We want to have the same configuration * in processes started from the PAM session. * * The setting of the address is guarded by the access() check because it is also possible to compile * dbus without --enable-user-session, in which case this socket is not used, and * $DBUS_SESSION_BUS_ADDRESS should not be set. An alternative approach would to not do the access() * check here, and let applications try on their own, by using "unix:path=%s/bus;autolaunch:". But we * expect the socket to be present by the time we do this check, so we can just as well check once * here. */

But it does raise the question as to whether "DBUS_SESSION_BUS_ADDRESS" is a deprecated interface.

I.E. Should podman be using a different method to access the DBUS functions.

[eriksjolund]

sudo -l
su -l

@rhatdan Maybe a typo? Maybe sudo -i instead?

$ man su | grep -- --login | grep -- -l,
       -, -l, --login
$ man sudo | grep -- --login
     -i, --login
$ cat /etc/fedora-release 
Fedora release 34 (Thirty Four)
$

[rhatdan]

Yup, sorry.

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[rhatdan]

@mheon since you have started on documenting this.

[flouthoc]

Justification and possible debugging strategy were added for such cases recently to troubleshooting page via #11327

Also a detailed post by @mheon should be coming out soon.

Closing this. Please feel free to reopen if you think things are not justified in above PR.