systemd container units are pulling new images

[ondrejbudai]

Issue Description

man podman-systemd.unit mentions that the Image option for container units does never download new images.

Image=
The image to run in the container. This image must be locally installed for the service to work when it is activated, because the generated service
file will never try to download images. It is recommended to use a fully qualified image name rather than a short name, both for performance and
robustness reasons.

However, from my testing, that's not true, the unit file does pull the image if it's missing.

Is this an intentional behaviour (and a documentation issue), or is the behaviour broken?

Steps to reproduce the issue

$ cat .config/containers/systemd/test.container 
[Unit]
Description=Test
After=basic.target

[Container]
Image=docker.io/mysql:latest

[Install]
WantedBy=default.target
$ podman images | grep mysql
$ systemctl --user daemon-reload
$ systemctl --user start test
$ podman images | grep mysql
docker.io/library/mysql            latest           05db07cd74c0  8 days ago    579 MB

Describe the results you received

Non-existing image referenced by a container unit got pulled.

Describe the results you expected

Non-existing image referenced by a container unit isn't pulled.

Alternatively, this might be an intentional behaviour and the documentation then needs to be updated.

podman info output

podman info
host:
  arch: amd64
  buildahVersion: 1.30.0
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.7-2.fc38.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.7, commit: '
  cpuUtilization:
    idlePercent: 99.39
    systemPercent: 0.23
    userPercent: 0.37
  cpus: 2
  databaseBackend: boltdb
  distribution:
    distribution: fedora
    variant: coreos
    version: "38"
  eventLogger: journald
  hostname: the-dark-portal
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1001
      size: 1
    - container_id: 1
      host_id: 589824
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1001
      size: 1
    - container_id: 1
      host_id: 589824
      size: 65536
  kernel: 6.2.13-300.fc38.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 463622144
  memTotal: 1998245888
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun-1.8.4-1.fc38.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.8.4
      commit: 5a8fa99a5e41facba2eda4af12fa26313918805b
      rundir: /run/user/1001/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1001/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.0-12.fc38.x86_64
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.3
  swapFree: 0
  swapTotal: 0
  uptime: 0h 58m 35.00s
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /var/home/ondrej/.config/containers/storage.conf
  containerStore:
    number: 7
    paused: 0
    running: 2
    stopped: 5
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/home/ondrej/.local/share/containers/storage
  graphRootAllocated: 40356524032
  graphRootUsed: 20801634304
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 26
  runRoot: /run/user/1001/containers
  transientStore: false
  volumePath: /var/home/ondrej/.local/share/containers/storage/volumes
version:
  APIVersion: 4.5.0
  Built: 1681486942
  BuiltTime: Fri Apr 14 15:42:22 2023
  GitCommit: ""
  GoVersion: go1.20.2
  Os: linux
  OsArch: linux/amd64
  Version: 4.5.0

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

No

Additional environment details

Fedora CoreOS

Additional information

No response

[Luap99]

Sounds like a doc issue to me, podman run will by default pull the image if it is not found. If quadlet does not want such behaviour it would need to add --pull=never.
cc @ygalblum

[ygalblum]

Yes, this is a doc issue, a leftover from when Quadlet was opinionated. We've since stripped Quadlet from almost all of its opinions, this being one of them.
Currently Quadlet does not have a dedicated key for --pull. But, you can use PodmanArgs=--pull=never to achieve this functionality.