Quadlet - Error when units define User, Group, or DynamicUser in Service group

Fixes: #26543

Signed-off-by: Evan Miller <miller.evan815@gmail.com>

Author: AgentEpsilon

docs/source/markdown/podman-systemd.unit.5.md

@@ -78,6 +78,12 @@ session gets started. For unit files placed in subdirectories within
 /etc/containers/systemd/user/${UID}/ and the other user unit search paths,
 Quadlet will recursively search and run the unit files present in these subdirectories.
 
+Note that Quadlet units do not support running as a non-root user by defining the
+[User, Group](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#User=),
+or [DynamicUser](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#DynamicUser=)
+systemd options. If you want to run a rootless Quadlet, you will need to create the user
+and add the unit file to one of the above rootless unit search paths.
+
 Note: When a Quadlet is starting, Podman often pulls or builds one more container images which may take a considerable amount of time.
 Systemd defaults service start time to 90 seconds, or fails the service. Pre-pulling the image or extending
 the systemd timeout time for the service using the *TimeoutStartSec* Service option can fix the problem.

pkg/systemd/quadlet/quadlet.go

@@ -186,6 +186,9 @@ const (
 	KeyYaml                  = "Yaml"
 )
 
+// Unsupported keys in the Service group. Defined here so we can error when they are found
+var UnsupportedServiceKeys = [...]string{"User", "Group", "DynamicUser"}
+
 type UnitInfo struct {
 	// The name of the generated systemd service unit
 	ServiceName string
@@ -2245,6 +2248,14 @@ func initServiceUnitFile(quadletUnitFile *parser.UnitFile, isUser bool, unitsInf
 		return nil, nil, err
 	}
 
+	// These Service keys cannot be used in a Quadlet unit
+	for _, key := range UnsupportedServiceKeys {
+		_, hasKey := quadletUnitFile.Lookup(ServiceGroup, key)
+		if hasKey {
+			return nil, nil, fmt.Errorf("using key %s in the Service group is not supported", key)
+		}
+	}
+
 	service := quadletUnitFile.Dup()
 	service.Filename = unitInfo.ServiceFileName()
 

test/e2e/quadlet/service-dynamicuser.build

@@ -0,0 +1,4 @@
+## assert-failed
+## assert-stderr-contains "using key DynamicUser in the Service group is not supported"
+[Service]
+DynamicUser=foobar

test/e2e/quadlet/service-dynamicuser.container

@@ -0,0 +1,4 @@
+## assert-failed
+## assert-stderr-contains "using key DynamicUser in the Service group is not supported"
+[Service]
+DynamicUser=foobar

test/e2e/quadlet/service-dynamicuser.image

@@ -0,0 +1,4 @@
+## assert-failed
+## assert-stderr-contains "using key DynamicUser in the Service group is not supported"
+[Service]
+DynamicUser=foobar

test/e2e/quadlet/service-dynamicuser.kube

@@ -0,0 +1,4 @@
+## assert-failed
+## assert-stderr-contains "using key DynamicUser in the Service group is not supported"
+[Service]
+DynamicUser=foobar

test/e2e/quadlet/service-dynamicuser.network

@@ -0,0 +1,4 @@
+## assert-failed
+## assert-stderr-contains "using key DynamicUser in the Service group is not supported"
+[Service]
+DynamicUser=foobar

test/e2e/quadlet/service-dynamicuser.pod

@@ -0,0 +1,4 @@
+## assert-failed
+## assert-stderr-contains "using key DynamicUser in the Service group is not supported"
+[Service]
+DynamicUser=foobar

test/e2e/quadlet/service-dynamicuser.volume

@@ -0,0 +1,4 @@
+## assert-failed
+## assert-stderr-contains "using key DynamicUser in the Service group is not supported"
+[Service]
+DynamicUser=foobar

test/e2e/quadlet/service-group.container

@@ -0,0 +1,7 @@
+## assert-failed
+## assert-stderr-contains "using key Group in the Service group is not supported"
+[Container]
+Group=1000 # This is fine
+
+[Service]
+Group=1000 # This isn't