1

I'm trying to deploy podman user services in a corporate network environment where all Linux users have their home directories NFS-mounted from a common file server. I'm not sure how to have computer-specific user-level services when my user's home-directory on every machine is nfs-mounted to the same share.

For podman to work cleanly with network home directories, I've found that I'm going to need to set graphroot setting to point to somewhere on each local machine, otherwise the containers on each machine will try to use the same storage and get confused. Ok, I can do that (though will take some work with IT to set this up).

When turning pods/containers into user-level services (using podman generate systemd) I'd ordinarily put the .service file in ~/.config/systemd/user but this is also on the network share and thus would affect my user in every location.

Is there a standard way to get around this issue? How do I have user-level services on a per-machine basis (i.e. I may want different machines to have different services, especially if these services are containers referenced by their ID)?

Bonus question extension: I also intend to set loginctl enable-linger. Since the NFS home directories are lazy-mounted, will this actually result in services being started on boot?

iAdjunct
  • 1,632
  • 1
  • 16
  • 23

1 Answers1

1

Is there a standard way to get around this issue? How do I have user-level services on a per-machine basis (i.e. I may want different machines to have different services, especially if these services are containers referenced by their ID)?

Use the Condition*= directives.

[Unit]
# System hostname (/proc/sys/kernel/hostname)
ConditionHost=|node520
ConditionHost=|node964

[Unit]
# /etc/machine-id check
ConditionHost=7539689722fb45bca1a4e101447e4930

Bonus question extension: I also intend to set loginctl enable-linger. Since the NFS home directories are lazy-mounted, will this actually result in services being started on boot?

If you are using autofs, the systemd --user process attempting to access each user's ~/.config will trigger the lazy-mount in the same way that e.g. cronjobs would.

(This will not quite work if you're using NFS with Kerberos.)

If the lazy-mount is triggered using PAM, it will happen if /etc/pam.d/systemd-user invokes the necessary PAM modules. (Again, exactly like with cronjobs, it will only trigger 'account' and 'session' modules but won't go through 'auth'.)

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • Awesome - thank you so much for this response! A followup question: does the use of `loginctl enable-linger` cause the system to trigger the PAM modules after boot (thereby causing autofs to mount and the systemd user services to start)? – iAdjunct Apr 25 '22 at 18:48
  • PAM and autofs are usually completely unrelated – there's no "thereby" here. Yes, the [email protected] will be started on boot if linger is on, and will call PAM open_session when it's started (which it'll do regardless of linger mode being on or off, the only difference is when that happens), and yes, [email protected] will also cause autofs to mount the user's home, but that's not because of PAM but because the actual systemd --user process directly tries to access files from the homedir. – u1686_grawity Apr 25 '22 at 20:03
  • Ah, I didn't realize there was a [email protected]; that makes perfect sense! Thank you again! – iAdjunct Apr 25 '22 at 22:26