podman run fails when HOME set to invalid path and unprivileged system user specified as systemd User= #26667
Closed as duplicate of#23818
Description
Issue Description
podman run fails to run a rootless service when XDG_CONFIG_HOME is unset and an unprivileged, system user that has HOME set to an invalid path is used as User=.
At a guess, this appears to be caused due to the following behavior, described in podman docs:
In Rootless mode configuration files are read from XDG_CONFIG_HOME when specified, otherwise in the home directory of the user under $HOME/.config/containers
podman run fails to account for a missing $HOME dir. Lack of additional config files should not cause podman to fail. Default settings should... default.
Adding Environment=XDG_CONFIG_HOME=/run/user/$TEST_UID or Environment=HOME=/run/user/$TEST_UID to [Service] works around the bug. Note: these workarounds are effective even if the provided folders are empty, thus it is not the case that "Rootless mode configuration files" must be provided.
Why is HOME set to an invalid path?
Because that's what Debian policy requires:
The canonical non-existent home directory is
/nonexistent. Users who should not have a home directory should have their home directory set to this value.
System users should not have a home directory for security reasons.
Steps to reproduce the issue
# Create the unprivileged system user
useradd \
--system \
--add-subids-for-system \
--shell /usr/sbin/nologin \
--user-group \
--no-create-home \
--home-dir /nonexistent \
--key UMASK=077 \
test-user
# Capture the UID
TEST_UID=$(id -u test-user)
# Write the service file
cat << EOF > /etc/systemd/system/test-service.service
[Unit]
Description=Podman test service
[Service]
User=test-user
Environment=XDG_DATA_HOME=/run/user/$TEST_UID
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
KillMode=mixed
Delegate=yes
Type=notify
NotifyAccess=all
SyslogIdentifier=%N
ExecStop=/usr/bin/podman rm -v -f -i --cidfile=/run/user/$TEST_UID/%N.cid
ExecStopPost=-/usr/bin/podman rm -v -f -i --cidfile=/run/user/$TEST_UID/%N.cid
ExecStart=/usr/bin/podman run \
--name myservice \
--cidfile=/run/user/$TEST_UID/%N.cid \
--replace \
--rm \
--cgroups=split \
--sdnotify=conmon \
--detach \
docker.io/bash:5.3.0 \
-c 'exec tail -f /dev/null'
[Install]
WantedBy=multi-user.target
EOF
# Reload systemd and start the service (it will fail)
systemctl daemon-reload && systemctl start test-service.service
# See errors in log
journalctl --boot --pager-end --unit test-serviceDescribe the results you received
Jul 21 07:20:20 prime systemd[1]: test-service.service: Scheduled restart job, restart counter is at 3.
Jul 21 07:20:20 prime systemd[1]: Starting test-service.service...
Jul 21 07:20:20 prime test-service[686581]: cannot resolve /nonexistent: lstat /nonexistent: no such file or directory
Jul 21 07:20:20 prime systemd[1]: test-service.service: Main process exited, code=exited, status=1/FAILURE
Jul 21 07:20:20 prime test-service[686590]: cannot resolve /nonexistent: lstat /nonexistent: no such file or directory
Jul 21 07:20:20 prime systemd[1]: test-service.service: Failed with result 'exit-code'.
Jul 21 07:20:20 prime systemd[1]: Failed to start test-service.service.
Describe the results you expected
podman run succeeds without errors
podman info output
host:
arch: amd64
buildahVersion: 1.39.3
cgroupControllers:
- cpuset
- cpu
- io
- memory
- hugetlb
- pids
- rdma
- misc
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon_2.1.12-4_amd64
path: /usr/bin/conmon
version: 'conmon version 2.1.12, commit: unknown'
cpuUtilization:
idlePercent: 98.55
systemPercent: 0.21
userPercent: 1.24
cpus: 4
databaseBackend: sqlite
distribution:
codename: trixie
distribution: debian
version: "13"
eventLogger: journald
freeLocks: 2048
hostname: prime
idMappings:
gidmap: null
uidmap: null
kernel: 6.12.35+deb13-amd64
linkmode: dynamic
logDriver: journald
memFree: 9958391808
memTotal: 16540606464
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: aardvark-dns_1.14.0-3_amd64
path: /usr/lib/podman/aardvark-dns
version: aardvark-dns 1.14.0
package: netavark_1.14.0-2_amd64
path: /usr/lib/podman/netavark
version: netavark 1.14.0
ociRuntime:
name: crun
package: crun_1.21-1_amd64
path: /usr/bin/crun
version: |-
crun version 1.21
commit: 10269840aa07fb7e6b7e1acff6198692d8ff5c88
rundir: /run/user/0/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +WASM:wasmedge +YAJL
os: linux
pasta:
executable: /usr/bin/pasta
package: passt_0.0~git20250503.587980c-2_amd64
version: ""
remoteSocket:
exists: true
path: /run/podman/podman.sock
rootlessNetworkCmd: pasta
security:
apparmorEnabled: true
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: false
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: false
serviceIsRemote: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns_1.2.1-1.1_amd64
version: |-
slirp4netns version 1.2.1
commit: 09e31e92fa3d2a1d3ca261adaeb012c8d75a8194
libslirp: 4.8.0
SLIRP_CONFIG_VERSION_MAX: 5
libseccomp: 2.6.0
swapFree: 16540602368
swapTotal: 16540602368
uptime: 208h 10m 13.00s (Approximately 8.67 days)
variant: ""
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries: {}
store:
configFile: /usr/share/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: overlay
graphOptions:
overlay.mountopt: nodev
graphRoot: /var/lib/containers/storage
graphRootAllocated: 491463127040
graphRootUsed: 6145794048
graphStatus:
Backing Filesystem: btrfs
Native Overlay Diff: "true"
Supports d_type: "true"
Supports shifting: "true"
Supports volatile: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 0
runRoot: /run/containers/storage
transientStore: false
volumePath: /var/lib/containers/storage/volumes
version:
APIVersion: 5.4.2
BuildOrigin: Debian
Built: 1751958912
BuiltTime: Tue Jul 8 09:15:12 2025
GitCommit: ""
GoVersion: go1.24.4
Os: linux
OsArch: linux/amd64
Version: 5.4.2Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
No
Additional environment details
$ uname -a
Linux prime 6.12.35+deb13-amd64 containers/image#1 SMP PREEMPT_DYNAMIC Debian 6.12.35-1 (2025-07-03) x86_64 GNU/Linux
$ lsb_release -a
Distributor ID: Debian
Description: Debian GNU/Linux 13 (trixie)
Release: 13
Codename: trixie
$ podman --version
podman version 5.4.2
$ systemctl --version
systemd 257 (257.7-1)
+PAM +AUDIT +SELINUX +APPARMOR +IMA +IPE +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +BTF -XKBCOMMON -UTMP +SYSVINIT +LIBARCHIVE
Additional information
(none)