nixos/podman: fix starting unprivileged containers with sdnotify=conmon (#475089)

2026-06-05 21:03:40 +00:00 · 2026-01-24 09:53:35 +00:00
parent 786a9478e4 5344842272
commit 2bf57f0212
3 changed files with 7 additions and 9 deletions
--- a/nixos/modules/virtualisation/oci-containers.nix
+++ b/nixos/modules/virtualisation/oci-containers.nix
@@ -542,7 +542,7 @@ let
        Environment = "PODMAN_SYSTEMD_UNIT=%n";
        Type = "notify";
        NotifyAccess = "all";
-        Delegate = mkIf (container.podman.sdnotify == "healthy") true;
+        Delegate = true;
        User = effectiveUser;
        RuntimeDirectory = escapedName;
      };
@@ -630,13 +630,9 @@ in
              inherit (config.users.users.${podman.user}) linger;
            in
            warnings
-            ++ lib.optional (podman.user != "root" && linger && podman.sdnotify == "conmon") ''
-              Podman container ${name} is configured as rootless (user ${podman.user})
-              with `--sdnotify=conmon`, but lingering for this user is turned on.
-            ''
-            ++ lib.optional (podman.user != "root" && !linger && podman.sdnotify == "healthy") ''
-              Podman container ${name} is configured as rootless (user ${podman.user})
-              with `--sdnotify=healthy`, but lingering for this user is turned off.
+            ++ lib.optional (podman.user != "root" && !linger) ''
+              Podman container ${name} is configured as rootless (user ${podman.user}),
+              but lingering for this user is turned off.
            ''
          ) [ ] cfg.containers
        );
--- a/nixos/tests/oci-containers.nix
+++ b/nixos/tests/oci-containers.nix
@@ -88,7 +88,7 @@ let
              isSystemUser = true;
              group = "redis";
              home = "/var/lib/redis";
-              linger = type == "healthy";
+              linger = true;
              createHome = true;
              uid = 2342;
              subUidRanges = [
--- a/pkgs/by-name/po/podman/package.nix
+++ b/pkgs/by-name/po/podman/package.nix
@@ -157,6 +157,8 @@ buildGoModule (finalAttrs: {
        podman-tls-ghostunnel
        ;
      oci-containers-podman = nixosTests.oci-containers.podman;
+      oci-containers-podman-rootless-conmon = nixosTests.oci-containers.podman-rootless-conmon;
+      oci-containers-podman-rootless-healthy = nixosTests.oci-containers.podman-rootless-healthy;
    };
    # do not add qemu to this wrapper, store paths get written to the podman vm config and break when GCed
    binPath = lib.makeBinPath (