Quadlet - make sure the /etc/containers/systemd/users is traversed in rootless

[ygalblum]

Does this PR introduce a user-facing change?

No

None

Resolves: #24783

[ygalblum]

I'm not sure how to test this. The problem is that creating folders under /etc/containers/systemd/users requires root privileges

[vrothberg]

I'm not sure how to test this. The problem is that creating folders under /etc/containers/systemd/users requires root privileges

That's usually done via env vars. Could you use QUADLET_UNIT_DIRS for the tests and point it to a directory the tests control? Besides the permission issue, I wouldn't want tests writing to /etc/ if possible.

[Luap99]

QUADLET_UNIT_DIRS

I don't think this can help here, it will not trigger the code path in question here as this does not change the root.

I think for testing it may be possible to run quadlet in a container where we can have full control over all dirs or just chroot() may be enough? But it still is no clear to me how we could integrate this into the existing e2e test.

[ygalblum]

Yes, @Luap99 is correct. When QUADLET_UNIT_DIRS is set, the changed code is not reached.
@edsantiago can you think of a way to test this?
The problem is that the code in question traverses directories under /etc/containers/systemd which the test code cannot change (without root permissions)

[edsantiago]

Containerized e2e could be a safe way to test, but not trivial (test fixtures would need to be set up outside the test itself). And, sorry, I can't remember if we run rootless containerized.

[Luap99]

Maybe in the e2e test instead of calling quadlet on the host we can wrap it in a container like this:

podman run --rm -v /:/host:ro -v /tmp/test/:/host/etc/containers/systemd:Z  quay.io/libpod/testimage:20241011 chroot /host /usr/libexec/podman/quadlet -dryrun

Where /tmp/test is the source of the quadlet files, that seems to work and we have full control where to place the files.
And with the podman run command we can test rootless by adding --user 1000:1000 so we even have a stable uid to check the uid matching logic as well.

[ygalblum]

I've tried running this containerized, but I still see issues. While I would like to explore the idea, can we still merge this PR (by skipping the new tests requirement) as it does fix a real issue?

[Luap99]

Yeah if there is no easy way I am fine to bypass the test requirement.

Although I just touched the quadlet unit tests and there seems to be some chroot logic in there so maybe something can be done there, thought not sure.
https://github.com/containers/podman/blob/main/cmd/quadlet/main_test.go

[ygalblum]

@Luap99 Thanks a lot for this pointer. I didn't notice it before. I added some more tests to the unit tests (with some cleanup of code duplication)

[Luap99]

LGTM

[Luap99]

not blocking as it is pre existing and done in way to many other places but error checks should be done with
assert.NoError() because that prints a better message when it fails.

[ygalblum]

Yeah, I just copy pasted the code. I see that it's being fixed in #24974

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Luap99, ygalblum

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Luap99,ygalblum]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rhatdan]

/lgtm