containers · openshift-merge-bot · Jul 4, 2025 · Jul 2, 2025 · Jul 3, 2025
diff --git a/cmd/quadlet/main.go b/cmd/quadlet/main.go
@@ -574,6 +574,20 @@ func warnIfAmbiguousName(unit *parser.UnitFile, group string) {
 	}
 }
 
+// Warns if the unit has any properties defined in the Service group that are known to cause issues.
+// We want to warn instead of erroring to avoid breaking any existing users' units,
+// or to allow users to use these properties if they know what they are doing.
+// We implement this here instead of in quadlet.initServiceUnitFile to avoid
+// having to refactor a large amount of code in the generator just for a warning.
+func warnIfUnsupportedServiceKeys(unit *parser.UnitFile) {
+	for _, key := range quadlet.UnsupportedServiceKeys {
+		_, hasKey := unit.Lookup(quadlet.ServiceGroup, key)
+		if hasKey {
+			Logf("Warning: using key %s in the Service group is not supported - use at your own risk", key)
+		}
+	}
+}
+
 func generateUnitsInfoMap(units []*parser.UnitFile) map[string]*quadlet.UnitInfo {
 	unitsInfoMap := make(map[string]*quadlet.UnitInfo)
 	for _, unit := range units {
@@ -722,6 +736,8 @@ func process() bool {
 		var service *parser.UnitFile
 		var warnings, err error
 
+		warnIfUnsupportedServiceKeys(unit)
+
 		switch {
 		case strings.HasSuffix(unit.Filename, ".container"):
 			warnIfAmbiguousName(unit, quadlet.ContainerGroup)

diff --git a/docs/source/markdown/podman-systemd.unit.5.md b/docs/source/markdown/podman-systemd.unit.5.md
@@ -78,6 +78,12 @@ session gets started. For unit files placed in subdirectories within
 /etc/containers/systemd/user/${UID}/ and the other user unit search paths,
 Quadlet will recursively search and run the unit files present in these subdirectories.
 
+Note that Quadlet units do not support running as a non-root user by defining the
+[User, Group](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#User=),
+or [DynamicUser](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#DynamicUser=)
+systemd options. If you want to run a rootless Quadlet, you will need to create the user
+and add the unit file to one of the above rootless unit search paths.
+
 Note: When a Quadlet is starting, Podman often pulls or builds one more container images which may take a considerable amount of time.
 Systemd defaults service start time to 90 seconds, or fails the service. Pre-pulling the image or extending
 the systemd timeout time for the service using the *TimeoutStartSec* Service option can fix the problem.

diff --git a/pkg/systemd/quadlet/quadlet.go b/pkg/systemd/quadlet/quadlet.go
@@ -186,6 +186,9 @@ const (
 	KeyYaml                  = "Yaml"
 )
 
+// Unsupported keys in the Service group. Defined here so we can error when they are found
+var UnsupportedServiceKeys = [...]string{"User", "Group", "DynamicUser"}
+
 type UnitInfo struct {
 	// The name of the generated systemd service unit
 	ServiceName string

diff --git a/test/e2e/quadlet/service-dynamicuser.build b/test/e2e/quadlet/service-dynamicuser.build
@@ -0,0 +1,8 @@
+## assert-stderr-contains "using key DynamicUser in the Service group is not supported"
+
+[Build]
+ImageTag=localhost/imagename
+SetWorkingDirectory=unit
+
+[Service]
+DynamicUser=foobar
diff --git a/test/e2e/quadlet/service-dynamicuser.container b/test/e2e/quadlet/service-dynamicuser.container
@@ -0,0 +1,7 @@
+## assert-stderr-contains "using key DynamicUser in the Service group is not supported"
+
+[Container]
+Image=localhost/imagename
+
+[Service]
+DynamicUser=foobar
diff --git a/test/e2e/quadlet/service-dynamicuser.image b/test/e2e/quadlet/service-dynamicuser.image
@@ -0,0 +1,7 @@
+## assert-stderr-contains "using key DynamicUser in the Service group is not supported"
+
+[Image]
+Image=localhost/imagename
+
+[Service]
+DynamicUser=foobar
diff --git a/test/e2e/quadlet/service-dynamicuser.kube b/test/e2e/quadlet/service-dynamicuser.kube
@@ -0,0 +1,7 @@
+## assert-stderr-contains "using key DynamicUser in the Service group is not supported"
+
+[Kube]
+Yaml=deployment.yml
+
+[Service]
+DynamicUser=foobar
diff --git a/test/e2e/quadlet/service-dynamicuser.network b/test/e2e/quadlet/service-dynamicuser.network
@@ -0,0 +1,3 @@
+## assert-stderr-contains "using key DynamicUser in the Service group is not supported"
+[Service]
+DynamicUser=foobar
diff --git a/test/e2e/quadlet/service-dynamicuser.pod b/test/e2e/quadlet/service-dynamicuser.pod
@@ -0,0 +1,3 @@
+## assert-stderr-contains "using key DynamicUser in the Service group is not supported"
+[Service]
+DynamicUser=foobar
diff --git a/test/e2e/quadlet/service-dynamicuser.volume b/test/e2e/quadlet/service-dynamicuser.volume
@@ -0,0 +1,3 @@
+## assert-stderr-contains "using key DynamicUser in the Service group is not supported"
+[Service]
+DynamicUser=foobar
diff --git a/test/e2e/quadlet/service-group.container b/test/e2e/quadlet/service-group.container
@@ -0,0 +1,10 @@
+## assert-stderr-contains "using key Group in the Service group is not supported"
+[Container]
+Image=localhost/imagename
+# This is fine
+User=1000
+Group=1000
+
+[Service]
+# This isn't
+Group=1000
diff --git a/test/e2e/quadlet/service-user.container b/test/e2e/quadlet/service-user.container
@@ -0,0 +1,9 @@
+## assert-stderr-contains "using key User in the Service group is not supported"
+[Container]
+Image=localhost/imagename
+# This is fine
+User=1000
+
+[Service]
+# This isn't
+User=1000
diff --git a/test/e2e/quadlet_test.go b/test/e2e/quadlet_test.go
@@ -1096,6 +1096,16 @@ BOGUS=foo
 		runWarningQuadletTestCase,
 		Entry("label-unsupported-escape.container", "label-unsupported-escape.container", "unsupported escape char"),
 		Entry("shortname.container", "shortname.container", "Warning: shortname.container specifies the image \"shortname\" which not a fully qualified image name. This is not ideal for performance and security reasons. See the podman-pull manpage discussion of short-name-aliases.conf for details."),
+
+		Entry("Unsupported Service Key - User", "service-user.container", "Warning: using key User in the Service group is not supported"),
+		Entry("Unsupported Service Key - Group", "service-group.container", "Warning: using key Group in the Service group is not supported"),
+		Entry("Unsupported Service Key - DynamicUser.build", "service-dynamicuser.build", "Warning: using key DynamicUser in the Service group is not supported"),
+		Entry("Unsupported Service Key - DynamicUser.container", "service-dynamicuser.container", "Warning: using key DynamicUser in the Service group is not supported"),
+		Entry("Unsupported Service Key - DynamicUser.image", "service-dynamicuser.image", "Warning: using key DynamicUser in the Service group is not supported"),
+		Entry("Unsupported Service Key - DynamicUser.kube", "service-dynamicuser.kube", "Warning: using key DynamicUser in the Service group is not supported"),
+		Entry("Unsupported Service Key - DynamicUser.network", "service-dynamicuser.network", "Warning: using key DynamicUser in the Service group is not supported"),
+		Entry("Unsupported Service Key - DynamicUser.pod", "service-dynamicuser.pod", "Warning: using key DynamicUser in the Service group is not supported"),
+		Entry("Unsupported Service Key - DynamicUser.volume", "service-dynamicuser.volume", "Warning: using key DynamicUser in the Service group is not supported"),
 	)
 
 	DescribeTable("Running expected error quadlet test case",