Quadlet - new unit type .login

cmd/quadlet/main.go

@@ -411,14 +411,14 @@ func loadUnitDropins(unit *parser.UnitFile, sourcePaths []string) error {
 	return prevError
 }
 
-func generateServiceFile(service *parser.UnitFile) error {
+func generateServiceFile(service *parser.UnitFile, fileMode fs.FileMode) error {
 	Debugf("writing %q", service.Path)
 
 	service.PrependComment("",
 		fmt.Sprintf("Automatically generated by %s", os.Args[0]),
 		"")
 
-	f, err := os.Create(service.Path)
+	f, err := os.OpenFile(service.Path, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, fileMode)
 	if err != nil {
 		return err
 	}
@@ -607,6 +607,8 @@ func generateUnitsInfoMap(units []*parser.UnitFile) map[string]*quadlet.UnitInfo
 			// Prefill resouceNames for .pod files.
 			// This is requires for referencing the pod from .container files
 			resourceName = quadlet.GetPodResourceName(unit)
+		case strings.HasSuffix(unit.Filename, ".login"):
+			serviceName = quadlet.GetLoginServiceName(unit)
 		default:
 			Logf("Unsupported file type %q", unit.Filename)
 			continue
@@ -706,11 +708,11 @@ func process() bool {
 	sort.Slice(units, func(i, j int) bool {
 		getOrder := func(i int) int {
 			ext := filepath.Ext(units[i].Filename)
-			order, ok := quadlet.SupportedExtensions[ext]
+			extensionInfo, ok := quadlet.SupportedExtensions[ext]
 			if !ok {
 				return 0
 			}
-			return order
+			return extensionInfo.Order
 		}
 		return getOrder(i) < getOrder(j)
 	})
@@ -722,24 +724,33 @@ func process() bool {
 		var service *parser.UnitFile
 		var warnings, err error
 
-		switch {
-		case strings.HasSuffix(unit.Filename, ".container"):
+		ext := filepath.Ext(unit.Filename)
+		extensionInfo, ok := quadlet.SupportedExtensions[ext]
+		if !ok {
+			Logf("Unsupported file type %q", unit.Filename)
+			continue
+		}
+
+		switch ext {
+		case ".container":
 			warnIfAmbiguousName(unit, quadlet.ContainerGroup)
 			service, warnings, err = quadlet.ConvertContainer(unit, isUserFlag, unitsInfoMap)
-		case strings.HasSuffix(unit.Filename, ".volume"):
+		case ".volume":
 			warnIfAmbiguousName(unit, quadlet.VolumeGroup)
 			service, warnings, err = quadlet.ConvertVolume(unit, unit.Filename, unitsInfoMap, isUserFlag)
-		case strings.HasSuffix(unit.Filename, ".kube"):
+		case ".kube":
 			service, err = quadlet.ConvertKube(unit, unitsInfoMap, isUserFlag)
-		case strings.HasSuffix(unit.Filename, ".network"):
+		case ".network":
 			service, warnings, err = quadlet.ConvertNetwork(unit, unit.Filename, unitsInfoMap, isUserFlag)
-		case strings.HasSuffix(unit.Filename, ".image"):
+		case ".image":
 			warnIfAmbiguousName(unit, quadlet.ImageGroup)
 			service, err = quadlet.ConvertImage(unit, unitsInfoMap, isUserFlag)
-		case strings.HasSuffix(unit.Filename, ".build"):
+		case ".build":
 			service, warnings, err = quadlet.ConvertBuild(unit, unitsInfoMap, isUserFlag)
-		case strings.HasSuffix(unit.Filename, ".pod"):
+		case ".pod":
 			service, warnings, err = quadlet.ConvertPod(unit, unit.Filename, unitsInfoMap, isUserFlag)
+		case ".login":
+			service, err = quadlet.ConvertLogin(unit, unit.Filename, unitsInfoMap, isUserFlag)
 		default:
 			Logf("Unsupported file type %q", unit.Filename)
 			continue
@@ -765,7 +776,7 @@ func process() bool {
 			fmt.Printf("---%s---\n%s\n", service.Path, data)
 			continue
 		}
-		if err := generateServiceFile(service); err != nil {
+		if err := generateServiceFile(service, extensionInfo.ServiceFileMode); err != nil {
 			reportError(fmt.Errorf("generating service file %s: %w", service.Path, err))
 		}
 		enableServiceFile(outputPath, service)

docs/source/markdown/podman-systemd.unit.5.md

@@ -299,6 +299,7 @@ Valid options for `[Container]` are listed below:
 | AddDevice=/dev/foo                   | --device /dev/foo                                    |
 | AddHost=example\.com:192.168.10.11   | --add-host example.com:192.168.10.11                 |
 | Annotation="XYZ"                     | --annotation "XYZ"                                   |
+| AuthFile=/etc/registry/auth\.json    | --authfile=/etc/registry/auth\.json                  |
 | AutoUpdate=registry                  | --label "io.containers.autoupdate=registry"          |
 | CgroupsMode=no-conmon                | --cgroups=no-conmon                                  |
 | ContainerName=name                   | --name name                                          |
@@ -421,6 +422,16 @@ similar to `Environment`.
 
 This key can be listed multiple times.
 
+### `AuthFile=`
+
+Path of the authentication file.
+
+This is equivalent to the `--authfile` option.
+
+Special Cases:
+
+* If the `name` of the AuthFile ends with `.login`, Quadlet will use the authfile created by the corresponding `.login` file, and the generated systemd service contains a dependency on the `$name-login.service` (or the service name set in the `.login` file). Note that the corresponding `.login` file must exist and must include the `AuthFile` key.
+
 ### `AutoUpdate=`
 
 Indicates whether the container will be auto-updated ([podman-auto-update(1)](podman-auto-update.1.md)). The following values are supported:
@@ -1240,6 +1251,7 @@ Valid options for `[Kube]` are listed below:
 
 | **[Kube] options**                  | **podman kube play equivalent**                                  |
 | ------------------------------------| -----------------------------------------------------------------|
+| AuthFile=/etc/registry/auth\.json   | --authfile=/etc/registry/auth\.json                              |
 | AutoUpdate=registry                 | --annotation "io.containers.autoupdate=registry"                 |
 | ConfigMap=/tmp/config.map           | --config-map /tmp/config.map                                     |
 | ContainersConfModule=/etc/nvd\.conf | --module=/etc/nvd\.conf                                          |
@@ -1256,6 +1268,16 @@ Valid options for `[Kube]` are listed below:
 
 Supported keys in the `[Kube]` section are:
 
+### `AuthFile=`
+
+Path of the authentication file.
+
+This is equivalent to the `--authfile` option.
+
+Special Cases:
+
+* If the `name` of the AuthFile ends with `.login`, Quadlet will use the authfile created by the corresponding `.login` file, and the generated systemd service contains a dependency on the `$name-login.service` (or the service name set in the `.login` file). Note that the corresponding `.login` file must exist and must include the `AuthFile` key.
+
 ### `AutoUpdate=`
 
 Indicates whether containers will be auto-updated ([podman-auto-update(1)](podman-auto-update.1.md)). AutoUpdate can be specified multiple times. The following values are supported:
@@ -1728,6 +1750,10 @@ Path of the authentication file.
 
 This is equivalent to the `--authfile` option of `podman build`.
 
+Special Cases:
+
+* If the `name` of the AuthFile ends with `.login`, Quadlet will use the authfile created by the corresponding `.login` file, and the generated systemd service contains a dependency on the `$name-login.service` (or the service name set in the `.login` file). Note that the corresponding `.login` file must exist and must include the `AuthFile` key.
+
 ### `ContainersConfModule=`
 
 Load the specified containers.conf(5) module. Equivalent to the Podman `--module` option.
@@ -1963,7 +1989,12 @@ This is equivalent to the Podman `--arch` option.
 
 Path of the authentication file.
 
-This is equivalent to the Podman `--authfile` option.
+This is equivalent to the `--authfile` option.
+
+Special Cases:
+
+* If the `name` of the AuthFile ends with `.login`, Quadlet will use the authfile created by the corresponding `.login` file, and the generated systemd service contains a dependency on the `$name-login.service` (or the service name set in the `.login` file). Note that the corresponding `.login` file must exist and must include the `AuthFile` key.
+
 
 ### `CertDir=`
 
@@ -2062,6 +2093,103 @@ Override the default architecture variant of the container image.
 
 This is equivalent to the Podman `--variant` option.
 
+## Login units [Login]
+
+Login files are named with a `.login` extension and contain a section `[Login]` describing the
+login command. The generated service is a one-time command that logs into a registry.
+
+Using login units allows pulling images from private registries without having to login manually.
+
+There is only one required key, `Registry`, which defines the URL of the registry to log into.
+
+To avoid password leaking, Quadlet will set the permissions of the generated service file as 0600.
+It is recommended to do the same for `.login` unit files.
+
+Valid options for `[Login]` are listed below:
+
+| **[Login] options**                             | **podman login**                                                     |
+|-------------------------------------------------|----------------------------------------------------------------------|
+| AuthFile=/etc/registry/auth\.json               | --authfile=/etc/registry/auth\.json                                  |
+| CertDir=/etc/certs                              | --cert-dir=/etc/certs                                                |
+| LogoutOnStop=true                               | Add ExecStopPost to log out of the registry when the unit is stopped |
+| Password=mypassword                             | --password-stdin and set StandardInputText                           |
+| PodmanArgs=--compat-auth-file=/etc/compat\.json | --compat-auth-file=/etc/registry/compat\.json                        |
+| Registry=quai.io                                | podman login quai.io                                                 |
+| Secret=mysecret                                 | --secret=mysecret                                                    |
+| ServiceName=name                                | Name the systemd unit `name.service`                                 |
+| TLSVerify=false                                 | --tls-verify=false                                                   |
+| Username=myuser                                 | --username=myuser                                                    |
+
+### `AuthFile=`
+
+Path of the authentication file.
+
+This field is mandatory when linking between an `AuthFile` key of a different unit and the `.login` unit.
+Do not use unit specific systemd specifiers (e.g. `%n`) as they will be resolved differently in the dependent units.
+
+This is equivalent to the Podman `--authfile` option.
+
+### `CertDir=`
+
+Use certificates at path (*.crt, *.cert, *.key) to connect to the registry.
+
+This is equivalent to the Podman `--cert-dir` option.
+
+
+### `LogoutOnStop=` (defaults to `false`)
+
+When set to `true`, the logout will be called when the service is stopped.
+
+### `Password=`
+
+Use the password to connect to the registry.
+In order to prevent password leak, instead of using the `--password` option,
+Quadlet will set `--password-stdin` and use systemd `StandardInputText` to pass the data.
+
+
+### `PodmanArgs=`
+
+This key contains a list of arguments passed directly to the end of the `podman login` command
+in the generated file. It can be used to access Podman features otherwise unsupported by the generator.
+Since the generator is unaware of the unexpected interactions that can be caused by these arguments,
+it is not recommended to use this option.
+
+The format of this is a space separated list of arguments, which can optionally be individually
+escaped to allow inclusion of whitespace and other control characters.
+
+This key can be listed multiple times.
+
+### `Registry=`
+
+Use the URL of the registry to connect to. This key is mandatory.
+
+This is equivalent to the last argument of `podman login`.
+
+### `Secret=`
+
+Use a podman secret for the credentials.
+
+This is equivalent to the Podman `--secret` option.
+
+### `ServiceName=`
+
+By default, Quadlet will name the systemd service unit by appending `-login` to the name of the Quadlet.
+Setting this key overrides this behavior by instructing Quadlet to use the provided name.
+
+Note, the name should not include the `.service` file extension
+
+### `TLSVerify=`
+
+Require HTTPS and verification of certificates when contacting registries.
+
+This is equivalent to the Podman `--tls-verify` option.
+
+### `Username=`
+
+Use the username to connect to the registry.
+
+This is equivalent to the Podman `--username` option.
+
 ## Quadlet section [Quadlet]
 Some quadlet specific configuration is shared between different unit types. Those settings
 can be configured in the `[Quadlet]` section.
@@ -2241,6 +2369,26 @@ Options=iam_role,endpoint=${AWS_REGION},use_xattr,listobjectsv2,del_cache,use_ca
 # `iam_role` assumes inside EC2, if not, Use `profile=` instead
 ```
 
+Example for pulling from a private repository with a `.login` file
+
+`private-repo.login`
+```
+[Login]
+Registry=private-repo.example.com
+AuthFile=/etc/auth/private-repo.json
+TLSVerify=false
+Username=myuser
+Password=mypassword
+LogoutOnStop=true
+```
+
+`app.container`
+```
+[Container]
+Image=private-repo.example.com/myaccount/myapp:latest
+AuthFile=private-repo.login
+```
+
 ## SEE ALSO
 **[systemd.unit(5)](https://www.freedesktop.org/software/systemd/man/systemd.unit.html)**,
 **[systemd.service(5)](https://www.freedesktop.org/software/systemd/man/systemd.service.html)**,