Quadlet: EnvironmentFile paths starting with systemd specifiers are not recognized as absolute

[xduugu]

Issue Description

When a systemd specifier like %h is used in the path for EnvironmentFile, it is not recognized as an absolute path and the .container file location (e.g. /var/home/podman/.config/containers/systemd) is prepended. For the Volume key, it works fine, at least in 4.4.1, but maybe it is also broken now because of commit 5382997.

Steps to reproduce the issue

Steps to reproduce the issue

1. Create a .container file with content

[Container]
Image=localhost/imagename
EnvironmentFile=%h/env

2. Generate the systemd service file using systemctl --user daemon-reload
3. Check the generated service file in $XDG_RUNTIME_DIR/systemd/generator/

Describe the results you received

The EnvironmentFile line is translated into the podman container run argument --env-file /var/home/podman/.config/containers/systemd/%h/env.

Describe the results you expected

The EnvironmentFile path should be adopted unmodified. The correct commandline argument is:

--env-file %h/env.

There are several systemd specifiers for different paths. Either all paths starting with %[a-zA-Z] should be assumed to be absolute or it can be specifically checked for the path specifiers:

• %C
• %d
• %E
• %h
• %L
• %S
• %t
• %T
• %V
• %Y

podman info output

host:
  arch: arm64
  buildahVersion: 1.29.0
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.6-3.fc37.aarch64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.6, commit: '
  cpuUtilization:
    idlePercent: 99.6
    systemPercent: 0.15
    userPercent: 0.25
  cpus: 4
  distribution:
    distribution: fedora
    variant: coreos
    version: "37"
  eventLogger: file
  hostname: localhost.localdomain
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1001
      size: 1
    - container_id: 1
      host_id: 589824
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1001
      size: 1
    - container_id: 1
      host_id: 589824
      size: 65536
  kernel: 6.1.14-200.fc37.aarch64
  linkmode: dynamic
  logDriver: none
  memFree: 6986575872
  memTotal: 8206692352
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun-1.8.1-1.fc37.aarch64
    path: /usr/bin/crun
    version: |-
      crun version 1.8.1
      commit: f8a096be060b22ccd3d5f3ebe44108517fbf6c30
      rundir: /run/user/1001/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1001/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.0-8.fc37.aarch64
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.3
  swapFree: 0
  swapTotal: 0
  uptime: 19h 10m 4.00s (Approximately 0.79 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /var/home/podman/.config/containers/storage.conf
  containerStore:
    number: 4
    paused: 0
    running: 4
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.9-6.fc37.aarch64
      Version: |-
        fusermount3 version: 3.10.5
        fuse-overlayfs: version 1.9
        FUSE library version 3.10.5
        using FUSE kernel interface version 7.31
  graphRoot: /var/home/podman/.local/share/containers/storage
  graphRootAllocated: 127438663680
  graphRootUsed: 3762368512
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 12
  runRoot: /run/user/1001/containers
  transientStore: false
  volumePath: /var/home/podman/.local/share/containers/storage/volumes
version:
  APIVersion: 4.4.1
  Built: 1676629538
  BuiltTime: Fri Feb 17 10:25:38 2023
  GitCommit: ""
  GoVersion: go1.19.5
  Os: linux
  OsArch: linux/arm64
  Version: 4.4.1

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

No

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[Luap99]

@ygalblum PTAL

[rhatdan]

@vrothberg WDYT?

[vrothberg]

I don't think systemd-specifiers can easily be supported. The Quadlet-related fields are interpreted by Quadlet and not by systemd, as such I don't see it as a bug.

[Luap99]

Well quadlet thinks that this is a relative path and thus adds the systemd unit dir path in front which is a incorrect assumption. As reported it should be possible to check for the systemd specifier. If quadlet doesn't properly support systemd specifiers it will be much more difficult to create generic units that can be run everywhere.

[vrothberg]

Apologies, I skimmed the issue in a hurry and skipped the important part. I totally agree that Quadlet should properly process the identifiers, pass them on and let systemd interpret it.

[xduugu]

Thanks for implementing this so fast! @ygalblum