Quadlets with DynamicUser=yes always fail with "stat /.config: no such file or directory"

[AgentEpsilon]

Issue Description

When trying to create a Quadlet service with DynamicUser=yes, the systemd service fails with stat /.config: no such file or directory.

Steps to reproduce the issue

With the following Quadlet defined in /run/containers/systemd/debug.container:

[Container]
Image=alpine:3
Exec=printenv

[Service]
User=debug
DynamicUser=yes

Run systemctl daemon-reload and systemctl start debug.service

Describe the results you received

These are the logs from journalctl -u debug.service:

Jun 30 18:05:13 DESKTOP-OSL2QU8 systemd[1]: Starting debug.service...
Jun 30 18:05:13 DESKTOP-OSL2QU8 debug[453198]: stat /.config: no such file or directory
Jun 30 18:05:13 DESKTOP-OSL2QU8 systemd[1]: debug.service: Main process exited, code=exited, status=1/FAILURE
Jun 30 18:05:13 DESKTOP-OSL2QU8 debug[453209]: stat /.config: no such file or directory
Jun 30 18:05:13 DESKTOP-OSL2QU8 systemd[1]: debug.service: Failed with result 'exit-code'.
Jun 30 18:05:13 DESKTOP-OSL2QU8 systemd[1]: Failed to start debug.service.

Describe the results you expected

The container should be fetched and run.

podman info output

host:
  arch: amd64
  buildahVersion: 1.38.0
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.12-2.fc40.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: '
  cpuUtilization:
    idlePercent: 99.82
    systemPercent: 0.13
    userPercent: 0.04
  cpus: 12
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    variant: container
    version: "40"
  eventLogger: journald
  freeLocks: 2048
  hostname: DESKTOP-OSL2QU8
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.6.87.2-microsoft-standard-WSL2
  linkmode: dynamic
  logDriver: journald
  memFree: 12781846528
  memTotal: 16730243072
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.13.1-1.fc40.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.13.1
    package: netavark-1.13.1-1.fc40.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.13.1
  ociRuntime:
    name: crun
    package: crun-1.19.1-1.fc40.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.19.1
      commit: 3e32a70c93f5aa5fea69b50256cca7fd4aa23c80
      rundir: /run/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20241211.g09478d5-1.fc40.x86_64
    version: |
      pasta 0^20241211.g09478d5-1.fc40.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 4294967296
  swapTotal: 4294967296
  uptime: 72h 26m 10.00s (Approximately 3.00 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - docker.io
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.imagestore: /usr/lib/containers/storage
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 1081101176832
  graphRootUsed: 28026286080
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 19
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 5.3.1
  Built: 1732147200
  BuiltTime: Wed Nov 20 16:00:00 2024
  GitCommit: ""
  GoVersion: go1.22.7
  Os: linux
  OsArch: linux/amd64
  Version: 5.3.1

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

No response

Additional information

No response

[Luap99]

DynamicUser is not supported with podman, it restrict basically anything we have to do so it cannot work.
https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#DynamicUser=

[Luap99]

Also just User= also has its problems as it doesn't create a the login session, you should run the unit in the user session instead of using the system session as then setting User

#20573

[AgentEpsilon]

@Luap99 thanks, that matches what I was finding in my testing.

Would it be reasonable to have Podman error out when it detects either of these properties being set in a .container unit? That way it'll at least show a more descriptive error than what I was running into. I can draft up a PR adding that detection into ConvertContainer, or if that doesn't make sense to include I can at least add a note in the docs clarifying that this isn't supported.