podman.service fails when run by the display manager

[andrew-sayers]

Issue Description

contrib/systemd/user/podman.service.in starts podman whenever a user session starts. But lightdm is implemented as a user session for a user with limited permissions (I assume other display managers are the same, but haven't checked).

When I log out or switch user, a lightdm session starts and its podman.service immediately exits with status 125.

Steps to reproduce the issue

1. use a Linux desktop distribution
2. ensure no systemd session is running for user lightdm

• e.g. kill the relevant systemd --user process

3. log out or switch user (exact steps depend on your desktop)
4. wait a few moments for the login manager to start
5. observe the systemd logs

• e.g. do ctrl+alt+F1 or log back in again and scroll up
• note: sudo journalctl -ru podman.service only shows the system service - you can find the issue by doing sudo journalctl -r then searching for podman.service

Describe the results you received

Systemd logs contain:

podman.service: Main process exited, code=exited, status=125/n/a
podman.service: Failed with result 'exit-code'.

Describe the results you expected

Logs do not contain an error.

podman info output

host:
  arch: amd64
  buildahVersion: 1.39.0
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon_2.1.12-4_amd64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: unknown'
  cpuUtilization:
    idlePercent: 86.48
    systemPercent: 3.14
    userPercent: 10.39
  cpus: 4
  databaseBackend: sqlite
  distribution:
    codename: trixie
    distribution: debian
    version: unknown
  eventLogger: journald
  freeLocks: 2048
  hostname: andrews-2024-laptop
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 121
      size: 1
    uidmap:
    - container_id: 0
      host_id: 115
      size: 1
  kernel: 6.12.15-amd64
  linkmode: dynamic
  logDriver: journald
  memFree: 13472137216
  memTotal: 25120329728
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns_1.12.2-2_amd64
      path: /usr/lib/podman/aardvark-dns
      version: aardvark-dns 1.12.2
    package: netavark_1.12.1-9_amd64
    path: /usr/lib/podman/netavark
    version: netavark 1.12.1
  ociRuntime:
    name: crun
    package: crun_1.19.1-1_amd64
    path: /usr/bin/crun
    version: |-
      crun version 1.19.1
      commit: 3e32a70c93f5aa5fea69b50256cca7fd4aa23c80
      rundir: /run/user/115/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt_0.0~git20250217.a1e48a0-1_amd64
    version: ""
  remoteSocket:
    exists: true
    path: /run/user/115/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns_1.2.1-1+b1_amd64
    version: |-
      slirp4netns version 1.2.1
      commit: 09e31e92fa3d2a1d3ca261adaeb012c8d75a8194
      libslirp: 4.8.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.5
  swapFree: 34359734272
  swapTotal: 34359734272
  uptime: 3h 27m 43.00s (Approximately 0.12 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries: {}
store:
  configFile: /var/lib/lightdm/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/lib/lightdm/.local/share/containers/storage
  graphRootAllocated: 67255504896
  graphRootUsed: 42591698944
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 0
  runRoot: /run/user/115/containers
  transientStore: false
  volumePath: /var/lib/lightdm/.local/share/containers/storage/volumes
version:
  APIVersion: 5.4.0
  Built: 1739713871
  BuiltTime: Sun Feb 16 13:51:11 2025
  GitCommit: ""
  GoVersion: go1.24.0
  Os: linux
  OsArch: linux/amd64
  Version: 5.4.0

Podman in a container

No

Privileged Or Rootless

None

Upstream Latest Release

No

Additional environment details

No response

Additional information

Suggested fix:

1. change contrib/systemd/user/podman.service.in from a symlink to a copy of contrib/systemd/system/podman.service.in
2. add a line like:

 StartLimitIntervalSec=0
+ConditionUser=!@system
 

This would disable the service for all system users, not just lightdm. It also requires ConditionUser=, which was added to systemd in 2017. Finally, breaking the symlink would increase your maintenance burden.

Happy to resubmit this as a PR if you're OK with that solution, or to leave you to make a cleverer fix :)