generate systemd creates a systemd unit file with proxy environment variables

[sstosh]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind feature

Description

If we want to control a container with systemd under proxy environment,
we need to add proxy environment variables to systemd unit.
Currently we have to add the environment manually.

I think it will be better to add proxy environment variables.

Steps to reproduce the issue:

# podman run -d --name test quay.io/libpod/testimage:20220615 top
6a443e403db49aa3c582e6fd5298dcb3c091b21f21a3fb9bcf07d9fd52f6a0a2

# podman exec test env
http_proxy=<mask>
https_proxy=<mask>
HTTP_PROXY=<mask>
HTTPS_PROXY=<mask>
no_proxy=<mask>
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
TERM=xterm
container=podman
HOME=/root

# podman generate systemd --new test

Describe the results you received:

# container-6a443e403db49aa3c582e6fd5298dcb3c091b21f21a3fb9bcf07d9fd52f6a0a2.service
# autogenerated by Podman 4.3.0-dev
# Mon Aug 29 11:33:27 JST 2022

[Unit]
Description=Podman container-6a443e403db49aa3c582e6fd5298dcb3c091b21f21a3fb9bcf07d9fd52f6a0a2.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=%t/containers

[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStartPre=/bin/rm -f %t/%n.ctr-id
ExecStart=/usr/local/bin/podman run \
        --cidfile=%t/%n.ctr-id \
        --cgroups=no-conmon \
        --rm \
        --sdnotify=conmon \
        --replace \
        -d \
        --name test quay.io/libpod/testimage:20220615 top
ExecStop=/usr/local/bin/podman stop --ignore --cidfile=%t/%n.ctr-id
ExecStopPost=/usr/local/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id
Type=notify
NotifyAccess=all

[Install]
WantedBy=default.target

Describe the results you expected:

Add the proxy environment variables in [Service] section.

# container-6a443e403db49aa3c582e6fd5298dcb3c091b21f21a3fb9bcf07d9fd52f6a0a2.service
# autogenerated by Podman 4.3.0-dev
# Mon Aug 29 11:33:27 JST 2022

[Unit]
Description=Podman container-6a443e403db49aa3c582e6fd5298dcb3c091b21f21a3fb9bcf07d9fd52f6a0a2.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=%t/containers

[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Environment="HTTP_PROXY=<http_proxy>"
Environment="HTTPS_PROXY=<https_proxy>"
Environment="NO_PROXY=<no_proxy>"
Restart=on-failure
TimeoutStopSec=70
ExecStartPre=/bin/rm -f %t/%n.ctr-id
ExecStart=/usr/local/bin/podman run \
        --cidfile=%t/%n.ctr-id \
        --cgroups=no-conmon \
        --rm \
        --sdnotify=conmon \
        --replace \
        -d \
        --name test quay.io/libpod/testimage:20220615 top
ExecStop=/usr/local/bin/podman stop --ignore --cidfile=%t/%n.ctr-id
ExecStopPost=/usr/local/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id
Type=notify
NotifyAccess=all

[Install]
WantedBy=default.target

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

podman version

Client:       Podman Engine
Version:      4.3.0-dev
API Version:  4.3.0-dev
Go Version:   go1.18.3
Git Commit:   2538bea8da2a4dba96f1c80594a66f6319d2d872-dirty
Built:        Wed Aug 24 15:28:37 2022
OS/Arch:      linux/amd64

Output of podman info:

podman info

host:
  arch: amd64
  buildahVersion: 1.27.0
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.0-2.fc36.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.0, commit: '
  cpuUtilization:
    idlePercent: 99.61
    systemPercent: 0.16
    userPercent: 0.23
  cpus: 12
  distribution:
    distribution: fedora
    variant: server
    version: "36"
  eventLogger: journald
  hostname: fedora36
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.18.11-200.fc36.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 1578639360
  memTotal: 8326590464
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun-1.5-1.fc36.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.5
      commit: 54ebb8ca8bf7e6ddae2eb919f5b82d1d96863dea
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.0-0.2.beta.0.fc36.x86_64
    version: |-
      slirp4netns version 1.2.0-beta.0
      commit: 477db14a24ff1a3de3a705e51ca2c4c1fe3dda64
      libslirp: 4.6.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.3
  swapFree: 8325689344
  swapTotal: 8325689344
  uptime: 163h 42m 8.00s (Approximately 6.79 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 1
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 106285760512
  graphRootUsed: 26218647552
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1
  runRoot: /var/run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.3.0-dev
  Built: 1661322517
  BuiltTime: Wed Aug 24 15:28:37 2022
  GitCommit: 2538bea8da2a4dba96f1c80594a66f6319d2d872-dirty
  GoVersion: go1.18.3
  Os: linux
  OsArch: linux/amd64
  Version: 4.3.0-dev

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (/~https://github.com/containers/podman/blob/main/troubleshooting.md)

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):
fedora36, KVM

[vrothberg]

Thanks for reaching out, @sstosh!

Would an --env flag work for your use case? podman generate systemd --env HTTP_PROXY=<http_proxy> --env ...?

[sstosh]

Would an --env flag work for your use case? podman generate systemd --env HTTP_PROXY=<http_proxy> --env ...?

--env option doesn't seem to exist.

# podman run -d --name test quay.io/libpod/testimage:20220615 top
263b9729a5cd5f44037b436b924730776dd0c1e2b1e5ea4f22c6d441edec3429

# podman generate systemd --env HTTP_PROXY=$http_proxy --new test
Error: unknown flag: --env
See 'podman generate systemd --help'

[vrothberg]

@sstosh, apologies for having been vague. The --env flag is just an idea but it does not exist yet. Would such a flag work for you?

[sstosh]

@sstosh, apologies for having been vague. The --env flag is just an idea but it does not exist yet. Would such a flag work for you?

Yes, I think --env flag is a nice idea.

[Luap99]

I think the flag might be useful but for your use case this doesn't seem right. You would have to change all untis when you change the proxy.
Use systemd-system.conf(5) with DefaultEnvironment instead, this is what we do in podman machine. Unless you need to use individual proxies for the units I recommend to do it like this.

[sstosh]

Use systemd-system.conf(5) with DefaultEnvironment instead, this is what we do in podman machine. Unless you need to use individual proxies for the units I recommend to do it like this.

DefaultEnvironment is the best way in my case. Thanks!

[vrothberg]

Great idea, @Luap99 !