From nobody Fri Mar 13 15:54:03 2026 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fXTYl4Rpjz6VKyH for ; Fri, 13 Mar 2026 15:54:03 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fXTYl0dGxz40d2 for ; Fri, 13 Mar 2026 15:54:03 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1773417243; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=V+Cp5h+BqKKHtHq1B51zl1b2DnIfvTRd/Z5YQYCl8LY=; b=UxNqPswTcBZKeKLf5U8mKRdDYWusplvPvHfIXi2xg//rDlaZWIGvZp8RtGWmRQTpvNrjj6 X59ajCV74BU+yx3tj04mmkPIAWEBVM+4724/yHZNCEiVusqhmJ6vuGVrXDuCDe2Sogbiqo VQ1US1OPbeUpzw79A9EMxLreI7nPe8DtLmBX7YcOM2ugt4+wQOj+otzw/Rb9qE+fxfLML8 NWXfvDJU4UyjsdBiYY1bk93PNiJvn5ehaMOWWNRRyaXPCs2XG8jcl39reyoa4ycs4Vsma4 eBmaYPaE7Myie4KE9bdNz8Yx6YQgOBuFoVVUsQ4LfqnAmdS1gBkKvOtIzpGAQg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1773417243; a=rsa-sha256; cv=none; b=OJ8ch6fwbAiXd0oA0pkM7are1S05PD4UWN0Yv7H3eFhh5RasJDRx8F3/3WP9N4+AGFFoJf XY2KBRhojhfsw1RnWNUIU9+PrncoQ0cu/CMN8chKc7e4SHEQqSm9djKiaj6v/j3KQNMMHL jvQUHCuZjOs5ANQXihcVK1fDSQrgiTyDDppkKRUN0ViTaV44ksyqWNXIm92g7a9F+sbY9b bSFwSpnyG/FuEuB0Lesy3oRCEOI7p/0iZ+RJWUHaFqnEoTNNv47OyXJiqrCFk0JIkzwaNl CXozqJgQ2X8PJJAnG/aTuVdhfchcSQGWczhEhsY5zS2pzR5pFQAPWzBXg242Mg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1773417243; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=V+Cp5h+BqKKHtHq1B51zl1b2DnIfvTRd/Z5YQYCl8LY=; b=DvVjO3xAG0onu60b3yG+ReJKiAvm7Rcui4oODGcbRECsuZZsZF8nZQiNAstPcivBadyP2e rXRz9gm7z7xMLNGGY/kWDf9kgq5jTPeiLdaSNv369cO22mwM9/3VXo8JTmPMkQeDakg2G/ TD5tEZgawtkbhWrkjXvhBcMh4eAT30eZQXu5XeXz/ZfKL3S7yEfeQ5n1iee9v92+caCHxl 9kCEIShb/nFjHV4O7NMKCmuEyL5731rfJP/+GyMkUcsN2OcaSoPXXfFH1u7i93s9vOJpRM CqSK9Rj8zKEgBPBxUYxf/fnunpJFLogVDn0LjUtmxn0OimlKSOAA9cwhVIPrGg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fXTYl0CkNzdn2 for ; Fri, 13 Mar 2026 15:54:03 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3f3b7 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Fri, 13 Mar 2026 15:54:03 +0000 To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Dave Cottlehuber Subject: git: 04b73631109f - main - sysutils/podman: Allow setting ownership on auto-created socket List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-main@freebsd.org Sender: owner-dev-commits-ports-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: dch X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 04b73631109f13aaf7e7b1fbe0ab00d62d6395c1 Auto-Submitted: auto-generated Date: Fri, 13 Mar 2026 15:54:03 +0000 Message-Id: <69b4331b.3f3b7.1c323ee2@gitrepo.freebsd.org> The branch main has been updated by dch: URL: https://cgit.FreeBSD.org/ports/commit/?id=04b73631109f13aaf7e7b1fbe0ab00d62d6395c1 commit 04b73631109f13aaf7e7b1fbe0ab00d62d6395c1 Author: Dave Cottlehuber AuthorDate: 2026-03-13 15:53:43 +0000 Commit: Dave Cottlehuber CommitDate: 2026-03-13 15:53:43 +0000 sysutils/podman: Allow setting ownership on auto-created socket The podman_service daemon auto-creates a socket on startup, along with parent directory, and is always run as root. It is often useful to have another proxy like haproxy or nginx provide more sophisticed security, and these daemons do not need root privileges. Approved by: dfr Reported by: pat@patmaddox.com Tested by: arrowd Differential Revision: https://reviews.freebsd.org/D55455 --- sysutils/podman/Makefile | 1 + sysutils/podman/files/podman_service.in | 47 +++++++++++++++++++++++++++++---- 2 files changed, 43 insertions(+), 5 deletions(-) diff --git a/sysutils/podman/Makefile b/sysutils/podman/Makefile index de723242ef32..78ae64af1c12 100644 --- a/sysutils/podman/Makefile +++ b/sysutils/podman/Makefile @@ -1,6 +1,7 @@ PORTNAME= podman DISTVERSIONPREFIX= v DISTVERSION= 5.8.0 +PORTREVISION= 1 CATEGORIES= sysutils MAINTAINER= dfr@FreeBSD.org diff --git a/sysutils/podman/files/podman_service.in b/sysutils/podman/files/podman_service.in index 0ecb1b0197f3..b06ee670c866 100755 --- a/sysutils/podman/files/podman_service.in +++ b/sysutils/podman/files/podman_service.in @@ -8,11 +8,16 @@ # Add the following to /etc/rc.conf[.local] to enable this service # -# podman_service_enable: Set to NO by default. -# Set it to YES to start podman API service daemon -# podman_service_flags: Extra flags for podman command (e.g. to set logging level) -# podman_service_log: Path to log file for podman stderr output -# +# podman_service_enable: Set to NO by default. +# Set it to YES to start podman API service daemon +# podman_service_flags: Extra flags for podman command (e.g. to set logging level) +# podman_service_log: Path to log file for podman stderr output +# podman_service_api_user: Optional user to own API socket +# podman_service_api_group: Optional group to own API socket +# podman_service_api_mode: Optional mode to chmod API socket to +# podman_service_api_rundir: Optional dir to override location of API socket +# podman_service_api_socket: Optional name of API socket inside rundir +# podman_service_api_socket_timeout: Optional seconds to wait for creation of API socket . /etc/rc.subr @@ -20,12 +25,44 @@ name=podman_service rcvar=${name}_enable : ${podman_service_enable:=NO} +: ${podman_service_api_user:="root"} +: ${podman_service_api_group:="operator"} +: ${podman_service_api_mode:="0770"} +: ${podman_service_api_rundir:="/var/run/podman"} +: ${podman_service_api_socket:="${podman_service_api_rundir}/podman.sock"} +: ${podman_service_api_socket_timeout:=5} : ${podman_service_flags:="--time=0"} : ${podman_service_log:="/var/log/podman.log"} command="%%PREFIX%%/bin/podman" pidfile="/var/run/$name.pid" +start_precmd="podman_prestart" start_cmd="podman_start" +start_postcmd="podman_poststart" + +podman_prestart() +{ + install -d -o ${podman_service_api_user} -g ${podman_service_api_group} -m ${podman_service_api_mode} ${podman_service_api_rundir} +} + +podman_poststart() +{ + local _timeout=${podman_service_api_socket_timeout} + local _elapsed=0 + + while [ ${_elapsed} -lt ${_timeout} ]; do + if [ -S "${podman_service_api_socket}" ]; then + chown ${podman_service_api_user}:${podman_service_api_group} "${podman_service_api_socket}" + chmod ${podman_service_api_mode} "${podman_service_api_socket}" + return 0 + fi + sleep 1 + _elapsed=$((_elapsed + 1)) + done + + warn "Timed out waiting for ${podman_service_api_socket} after ${_timeout} seconds" + return 1 +} podman_start() {