Details

Reviewers

arrowd
dfr

Commits

R11:04b73631109f: sysutils/podman: Allow setting ownership on auto-created socket

Summary

The podman_service daemon auto-creates a socket on startup, along with
parent directory, and is always run as root. It is often useful to have
another proxy like haproxy or nginx provide more sophisticated security,
and these daemons do not need root privileges.

Test Plan

use podman_service instead of podman daemon (thanks arrowd)
rename all the vars accordingly
PORTREVISION++ again to ensure we are past reverted commit

try this:

# /etc/rc.conf.d/podman_service
podman_service_enable=YES
podman_service_flags='--time 0'
podman_service_api_user=$YOU
podman_service_api_group=$GROUP

Diff Detail

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 70914
Build 67797: arc lint + arc unit

Event Timeline

dch requested review of this revision.Feb 23 2026, 11:46 AM

dch created this revision.

Harbormaster completed remote builds in B70911: Diff 172502.Feb 23 2026, 11:46 AM

speling

Harbormaster completed remote builds in B70912: Diff 172503.Feb 23 2026, 11:47 AM

dch edited the summary of this revision. (Show Details)Feb 23 2026, 11:49 AM

dch edited the test plan for this revision. (Show Details)

dch added reviewers: arrowd, • d.raith_comcast.net.

dch edited reviewers, added: dfr; removed: • d.raith_comcast.net.

ensure default perms align with prior behaviour

Harbormaster completed remote builds in B70914: Diff 172505.Feb 23 2026, 11:55 AM

arrowd added inline comments.Feb 23 2026, 11:59 AM

sysutils/podman/files/podman_service.in
29	Another option might be "operator".
30	This should be `0770` to make the socket actually useful for the group.

Thanks for fixing the style nits. For group ownership, I have a slight preference for wheel but operator would also be reasonable. The permission of 0770 suggested by arrowd@ will work but I don't think we need execute permissions so perhaps 0660 instead?

This revision is now accepted and ready to land.Feb 23 2026, 1:15 PM

If I understand it correctly, we need "7" to be set on podman_service_rundir to allow listing its contents. Client programs usually first check for socket existence which requires the ability to list dir's contents.

In D55455#1268471, @arrowd wrote:

If I understand it correctly, we need "7" to be set on podman_service_rundir to allow listing its contents. Client programs usually first check for socket existence which requires the ability to list dir's contents.

That makes perfect sense, thanks!

frustratingly the var names I've chosen conflict with existing rc.subr ones :-( I need to rework these *again*

use group and user vars that don't conflict with rc.subr

This revision now requires review to proceed.Fri, Mar 6, 3:26 PM

Harbormaster completed remote builds in B71232: Diff 173269.Fri, Mar 6, 3:26 PM

dch edited the test plan for this revision. (Show Details)Fri, Mar 6, 3:42 PM

dch marked 2 inline comments as done.Fri, Mar 6, 4:22 PM

Works for me!

This revision is now accepted and ready to land.Mon, Mar 9, 7:25 AM

dfr accepted this revision.Mon, Mar 9, 1:28 PM

Closed by commit R11:04b73631109f: sysutils/podman: Allow setting ownership on auto-created socket (authored by dch). · Explain WhyFri, Mar 13, 3:54 PM

This revision was automatically updated to reflect the committed changes.

dch added a commit: R11:04b73631109f: sysutils/podman: Allow setting ownership on auto-created socket.

sysutils/podman: Allow setting ownership on auto-created socket
ClosedPublic
Actions

Details

Diff Detail

Event Timeline

Revision Contents
Changeset List

Diff 172505

sysutils/podman/Makefile

sysutils/podman/files/podman_service.in

sysutils/podman: Allow setting ownership on auto-created socketClosedPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 172505

sysutils/podman/Makefile

sysutils/podman/files/podman_service.in

sysutils/podman: Allow setting ownership on auto-created socket
ClosedPublic
Actions

Revision Contents
Changeset List