Site Navigation

Date:      Fri, 13 Mar 2026 15:54:03 +0000
From:      Dave Cottlehuber <dch@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Subject:   git: 04b73631109f - main - sysutils/podman: Allow setting ownership on auto-created socket
Message-ID:  <69b4331b.3f3b7.1c323ee2@gitrepo.freebsd.org>

---

index | next in thread | raw e-mail

---

The branch main has been updated by dch:

URL: https://cgit.FreeBSD.org/ports/commit/?id=04b73631109f13aaf7e7b1fbe0ab00d62d6395c1

commit 04b73631109f13aaf7e7b1fbe0ab00d62d6395c1
Author:     Dave Cottlehuber <dch@FreeBSD.org>
AuthorDate: 2026-03-13 15:53:43 +0000
Commit:     Dave Cottlehuber <dch@FreeBSD.org>
CommitDate: 2026-03-13 15:53:43 +0000

    sysutils/podman: Allow setting ownership on auto-created socket
    
    The podman_service daemon auto-creates a socket on startup, along with
    parent directory, and is always run as root. It is often useful to have
    another proxy like haproxy or nginx provide more sophisticed security,
    and these daemons do not need root privileges.
    
    Approved by:    dfr
    Reported by:    pat@patmaddox.com
    Tested by:      arrowd
    Differential Revision:  https://reviews.freebsd.org/D55455
---
 sysutils/podman/Makefile                |  1 +
 sysutils/podman/files/podman_service.in | 47 +++++++++++++++++++++++++++++----
 2 files changed, 43 insertions(+), 5 deletions(-)

diff --git a/sysutils/podman/Makefile b/sysutils/podman/Makefile
index de723242ef32..78ae64af1c12 100644
--- a/sysutils/podman/Makefile
+++ b/sysutils/podman/Makefile
@@ -1,6 +1,7 @@
 PORTNAME=	podman
 DISTVERSIONPREFIX=	v
 DISTVERSION=	5.8.0
+PORTREVISION=	1
 CATEGORIES=	sysutils
 
 MAINTAINER=	dfr@FreeBSD.org
diff --git a/sysutils/podman/files/podman_service.in b/sysutils/podman/files/podman_service.in
index 0ecb1b0197f3..b06ee670c866 100755
--- a/sysutils/podman/files/podman_service.in
+++ b/sysutils/podman/files/podman_service.in
@@ -8,11 +8,16 @@
 
 # Add the following to /etc/rc.conf[.local] to enable this service
 #
-# podman_service_enable:	Set to NO by default.
-#				Set it to YES to start podman API service daemon
-# podman_service_flags:		Extra flags for podman command (e.g. to set logging level)
-# podman_service_log:		Path to log file for podman stderr output
-#
+# podman_service_enable:		Set to NO by default.
+#					Set it to YES to start podman API service daemon
+# podman_service_flags:			Extra flags for podman command (e.g. to set logging level)
+# podman_service_log:			Path to log file for podman stderr output
+# podman_service_api_user:		Optional user to own API socket
+# podman_service_api_group:		Optional group to own API socket
+# podman_service_api_mode:		Optional mode to chmod API socket to
+# podman_service_api_rundir:		Optional dir to override location of API socket
+# podman_service_api_socket:		Optional name of API socket inside rundir
+# podman_service_api_socket_timeout:	Optional seconds to wait for creation of API socket
 
 . /etc/rc.subr
 
@@ -20,12 +25,44 @@ name=podman_service
 rcvar=${name}_enable
 
 : ${podman_service_enable:=NO}
+: ${podman_service_api_user:="root"}
+: ${podman_service_api_group:="operator"}
+: ${podman_service_api_mode:="0770"}
+: ${podman_service_api_rundir:="/var/run/podman"}
+: ${podman_service_api_socket:="${podman_service_api_rundir}/podman.sock"}
+: ${podman_service_api_socket_timeout:=5}
 : ${podman_service_flags:="--time=0"}
 : ${podman_service_log:="/var/log/podman.log"}
 
 command="%%PREFIX%%/bin/podman"
 pidfile="/var/run/$name.pid"
+start_precmd="podman_prestart"
 start_cmd="podman_start"
+start_postcmd="podman_poststart"
+
+podman_prestart()
+{
+    install -d -o ${podman_service_api_user} -g ${podman_service_api_group} -m ${podman_service_api_mode} ${podman_service_api_rundir}
+}
+
+podman_poststart()
+{
+    local _timeout=${podman_service_api_socket_timeout}
+    local _elapsed=0
+
+    while [ ${_elapsed} -lt ${_timeout} ]; do
+        if [ -S "${podman_service_api_socket}" ]; then
+            chown ${podman_service_api_user}:${podman_service_api_group} "${podman_service_api_socket}"
+            chmod ${podman_service_api_mode} "${podman_service_api_socket}"
+            return 0
+        fi
+        sleep 1
+        _elapsed=$((_elapsed + 1))
+    done
+
+    warn "Timed out waiting for ${podman_service_api_socket} after ${_timeout} seconds"
+    return 1
+}
 
 podman_start()
 {

home | help

---

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69b4331b.3f3b7.1c323ee2>

Legal Notices | © 1995-2026 The FreeBSD Project. All rights reserved.

Contact