{"id":18089003,"url":"https://github.com/eriksjolund/podman-systemd-run-docs","last_synced_at":"2026-03-19T03:13:41.301Z","repository":{"id":165281626,"uuid":"640631505","full_name":"eriksjolund/podman-systemd-run-docs","owner":"eriksjolund","description":"Documentation of how to run Podman as another user with systemd-run ","archived":false,"fork":false,"pushed_at":"2023-06-06T07:16:27.000Z","size":21,"stargazers_count":1,"open_issues_count":1,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-06T02:32:17.746Z","etag":null,"topics":["demo","documentation","examples","podman","systemd","systemd-run"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/eriksjolund.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-05-14T18:12:57.000Z","updated_at":"2023-06-02T15:18:57.000Z","dependencies_parsed_at":null,"dependency_job_id":"f2728e26-4bdd-4294-ac72-0b76f47a7ede","html_url":"https://github.com/eriksjolund/podman-systemd-run-docs","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/eriksjolund/podman-systemd-run-docs","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eriksjolund%2Fpodman-systemd-run-docs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eriksjolund%2Fpodman-systemd-run-docs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eriksjolund%2Fpodman-systemd-run-docs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eriksjolund%2Fpodman-systemd-run-docs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/eriksjolund","download_url":"https://codeload.github.com/eriksjolund/podman-systemd-run-docs/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eriksjolund%2Fpodman-systemd-run-docs/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28567901,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-19T08:53:44.001Z","status":"ssl_error","status_checked_at":"2026-01-19T08:52:40.245Z","response_time":67,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["demo","documentation","examples","podman","systemd","systemd-run"],"created_at":"2024-10-31T17:42:34.002Z","updated_at":"2026-01-19T12:33:52.531Z","avatar_url":"https://github.com/eriksjolund.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":":warning: Work-in-progress, experimental\n\nstatus: Work-in-progress. Experimental draft. Fact-checking is needed regarding the diagrams\nand the explanation of the steps in the diagrams.\nThe diagrams and the explanation of the steps were written with a bit of\nguessing of how it works.\n\n# podman-systemd-run-docs\n\nOn a Linux computer the command `systemd-run` can be used to run Podman\nas another user.\n\n## Run podman as another user (using `--property User=`)\n\nUsing `sudo systemd-run --user --property User=username ...`\n\nRun the commands\n\n```\nsudo useradd test\nuid=$(id -u test)\nsudo systemd-run \\\n  --property User=test \\\n  --property Requires=user@${uid}.service \\\n  --property After=user@${uid}.service \\\n  --property Environment=XDG_RUNTIME_DIR=/run/user/${uid} \\\n  --collect \\\n  --pipe \\\n  --quiet \\\n  --wait \\\n  podman run --quiet --rm alpine echo hello\n```\n\nThe text `hello` is written to stdout.\n\n``` mermaid\ngraph TB\n\n    a1[systemd-run] -.-\u003e|1. dbus| a2[systemd]\n    a2 --\u003e|\"2. (if missing) fork/exec\"| a3[\"systemd --user\u003cbr\u003e(user@1000.service)\"]\n    a2 --\u003e|3. fork/exec| a4[podman]\n    a4 --\u003e|4. fork/exec| a5[conmon]\n    a5 --\u003e|5. fork/exec| a6[OCI runtime]\n    a6 --\u003e|6. exec| a7[container]\n\n    classDef white fill:#fff,stroke:#333;\n    class a1,a2 white;\n```\n\nThe white boxes are processes running as root and the colored boxes are processes\nrunning as the user _test_.\nThe steps explained in more detail (here assuming _1000_ is UID for the user _test_):\n\n1. __systemd-run__ requests a new transient service unit from the __systemd system manager__\n   using dbus. In the request __systemd-run__ also passes the file descriptors\n   for stdin, stdout, and stderr to the __systemd system manager__. To learn more about\n   the technology used for passing file descriptors over a Unix socket see `SCM_RIGHTS`\n   and `sendmsg()` in `man 7 unix`.\n2. __systemd system manager__  makes sure that the __systemd user manager__ instance\n   user@1000.service is in the _active_ state. If needed, __systemd system manager__\n   will start the user@1000.service, which means `systemd --user` is executed.\n3. __systemd system manager__ starts __podman__ with a fork/exec.\n4. __podman__ starts __conmon__ with a fork/exec.\n5. __conmon__ starts __OCI runtime__ with a fork/exec.\n6. __OCI runtime__ starts __container__ with an exec.\n\n\n## Run podman as another user (using `--machine=`)\n\nUsing `sudo systemd-run --user --machine=username@ ...`\n\nRun the commands\n\n```\nsudo useradd test\nsudo systemd-run \\\n  --collect \\\n  --machine=test@ \\\n  --pipe \\\n  --quiet \\\n  --user \\\n  --wait \\\n  podman run \\\n    --quiet \\\n    --rm \\\n    alpine \\\n      echo hello\n```\n\nThe text `hello` is written to stdout.\n\n``` mermaid\ngraph TB\n\n    a1[systemd-run] --\u003e|\"1. fork/exec\"| a2[systemd-run]\n    a2 -.-\u003e|\"2. dbus\"| a3[systemd]\n    a3 --\u003e|\"3. fork/exec\"| a4[systemd-stdio-bridge]    \n    a3 --\u003e|\"4. (if missing) fork/exec\"| a5[\"systemd --user\u003cbr\u003e(user@1000.service)\"]\n    a4 -.-\u003e|\"5. dbus\"| a5\n    a1 -.-\u003e|\"6. dbus\"| a5\n    a5 --\u003e|7. fork/exec| a6[podman]\n    a6 --\u003e|8. fork/exec| a7[conmon]\n    a7 --\u003e|9. fork/exec| a8[OCI runtime]\n    a8 --\u003e|10. exec| a9[container]\n\n    classDef white fill:#fff,stroke:#333;\n    class a1,a2,a3 white;\n```\n\nThe white boxes are processes running as root and the colored boxes\nare processes running as the user _test_.\nThe steps explained in more detail (here assuming _1000_ is UID for the user _test_):\n\n1. __systemd-run__ starts __systemd-run__ (a second instance) with fork/exec\n2. __systemd-run__ (second instance) sends a dbus request to __systemd__ requesting that systemd-stdio-bridge\n   should be started. \n   In the request __systemd-run__ also passes the file descriptors\n   for stdin, stdout, and stderr to the __systemd system manager__. To learn more about\n   the technology used for passing file descriptors over a Unix socket see `SCM_RIGHTS`\n   and `sendmsg()` in `man 7 unix`.\n3. __systemd system manager__ starts __systemd-stdio-bridge__ running as user UID _1000_ and let the stdin, stdout, stderr\n   be the file descriptors it was passed from __step 2__.\n4. The __systemd system manager__ makes sure that the __systemd user manager__ instance\n   __user@1000.service__ is in the _active_ state. If needed, __systemd system manager__\n   will start  __user@1000.service__, which means `systemd --user` is executed.\n5. __systemd-stdio-bridge__  announces its precesence to __systemd user manager__ using dbus.\n6. __systemd-run__ (first instance) requests a new transient service unit from the\n   __systemd user manager__ using dbus.\n7. __systemd user manager__ starts __podman__ with a fork/exec.\n8. __podman__ starts __conmon__ with a fork/exec.\n9. __conmon__ starts __OCI runtime__ with a fork/exec.\n10. __OCI runtime__ starts the __container__ with an exec.\n\n## Using `--property OpenFile=`\n\nThe systemd directive [`OpenFile=`](https://www.freedesktop.org/software/systemd/man/systemd.service.html#OpenFile=)\nwas introduced in __systemd 253__ (released 15 February 2023) and is available in for example Fedora 38.\n\nThe `OpenFile=` directive instructs systemd to open a file before starting the service. The file descriptor\nwill be passed to the started service as an inherited file descriptor.\n\n#### Example: systemd system manager opens the file _/root/secretfile_ in read-only mode and the container reads the file descriptor\n\nRun the commands\n\n```\nsudo bash -c 'echo \"hello from secret\" \u003e /etc/secretfile'\nsudo chmod 700 /etc/secretfile\nsudo useradd test\nuid=$(id -u test)\nsudo systemd-run \\\n  --collect \\\n  --pipe \\\n  --property OpenFile=/etc/secretfile:myfdname:read-only \\\n  --property User=test \\\n  --property Requires=user@${uid}.service \\\n  --property After=user@${uid}.service \\\n  --property Environment=XDG_RUNTIME_DIR=/run/user/${uid} \\\n  --quiet \\\n  --wait \\\n  podman run --quiet --rm alpine sh -c \"cat \u003c\u00263\"\n```\n\nThe text `hello from secret` is written to stdout.\n\n\n#### Example: systemd user manager opens the file _/home/test/secretfile_ in read-only mode and the container reads the file descriptor\n\nRun the commands\n\n```\nsudo useradd test\nsudo bash -c 'echo \"hello from secret\" \u003e /home/test/secretfile'\nsudo chmod 700 /home/test/secretfile\nsudo chown test:test /home/test/secretfile\nuid=$(id -u test)\nsudo systemd-run \\\n  --user \\\n  --machine=test@ \\\n  --property OpenFile=/home/test/secretfile:myfdname:read-only \\\n  --collect \\\n  --pipe \\\n  --quiet \\\n  --wait \\\n  podman run -q --rm --user 65534:65534 alpine sh -c \"cat \u003c\u00263\"\n```\n\nThe text `hello from secret` is written to stdout. (When I tested\non Fedora CoreOS 38.20230430.1.0 (with container-selinux-2.209.0-1.fc38.noarch)\nI first had to run `sudo setenforce 0` to get this example to work)\n\n__audit2allow__ showed that these rules are necessary\n\n```\n#============= container_t ==============\nallow container_t user_home_t:file read;\n\n#============= systemd_logind_t ==============\n\n#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'\nallow systemd_logind_t etc_t:file map;\n```\n\nNote, in the example the option `--user 65534:65534` was added to highlight\nthe fact that the container user does not need to be mapped\nto the regular user of the host (i.e. the user _test_).\n\n#### Example: systemd system manager opens the file _/root/secretfile_ in read-only mode and a container running in a container reads the file descriptor\n\nRun the commands\n\n```\nsudo bash -c 'echo \"hello from secret\" \u003e /etc/secretfile'\nsudo chmod 700 /etc/secretfile\nsudo useradd test\nuid=$(id -u test)\nsudo systemd-run \\\n  --collect \\\n  --pipe \\\n  --property OpenFile=/etc/secretfile:myfdname:read-only \\\n  --property User=test \\\n  --property Requires=user@${uid}.service \\\n  --property After=user@${uid}.service \\\n  --property Environment=XDG_RUNTIME_DIR=/run/user/${uid} \\\n  --quiet \\\n  --wait \\\n  podman run \\\n    --device /dev/fuse \\\n    --quiet \\\n    --rm \\\n    --security-opt label=disable \\\n    --user podman \\\n    quay.io/podman/stable \\\n      podman run \\\n        --quiet \\\n        --rm \\\n        alpine sh -c \"cat \u003c\u00263\"\n```\n\nThe text `hello from secret` is written to stdout.\n\nThe command took about 1 minute to run. To see more progress remove the `--quiet` flags.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feriksjolund%2Fpodman-systemd-run-docs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feriksjolund%2Fpodman-systemd-run-docs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feriksjolund%2Fpodman-systemd-run-docs/lists"}