Configure a container to start automatically as a systemd service

In early 2022, I had the privilege of writing a five-part series about Podman (see my Enable Sysadmin profile to find the articles). Podman is a daemonless engine for developing, managing, and running Open Container Initiative (OCI)-compliant containers. Containers aren't just a developer thing anymore; they're increasingly an intrinsic part of a sysadmin's work. Therefore it's important to know how to manage them in a practical and automated way.

[ Get the Podman basics cheat sheet. ]

This article shows one way you can use the power of Podman and systemd to create a container solution that starts and stops automatically with your operating system. I'll begin with why you might need something like this.

Use case scenario

Podman can run rootless containers, so you can run a container to do whatever you want, from completing a system task to running a full application solution, such as web servers or databases.

Say you want containers that run these services indefinitely. In a typical sysadmin environment, a privileged user configures these services to run at system boot and manages them with the systemctl command. You can enable and start a service with the systemctl command as a regular user. These system services start when the system boots and stop when the system shuts down.

When you invoke Podman at runtime from the command line, it runs only as long as you are in the session (graphical interface, text console, or SSH), and it stops when you close the session. This functionality is not ideal for your need to have a Podman-hosted service persist across reboots. Here's where integrating Podman and systemd is handy.

[ Get the systemd commands cheat sheet. ]

According to RHEL 9 documentation, with systemd unit files, you can:

• Set up a container or pod to start as a systemd service.
• Define the order in which the containerized services run and check for dependencies (for example, making sure another service is running, a file is available, or a resource is mounted).
• Control the state of the systemd system using the systemctl command.
• Generate portable descriptions of containers and pods using systemd unit files.

Those are sample use cases. Here are the configuration steps.

[ Read how Podman 4.4 lets you make systemd better for Podman with Quadlet ]

Prepare the environment

First, as a privileged user, create a basic user in the system to act as a "service user" for the application with systemd:

# useradd webuser

# passwd webuser
Changing password for user webuser.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.

Keep this terminal open. In a separate terminal, SSH to the same server with the newly created user and verify it can run Podman commands:

$ ssh webuser@fedora
webuser@fedora's password:
Last login: Wed Feb  1 15:52:26 2023

$ podman version
Client:       Podman Engine
Version:      4.3.1
API Version:  4.3.1
Go Version:   go1.18.7
Built:        Fri Nov 11 12:24:13 2022
OS/Arch:      linux/amd64

Now, allow this "service user" account to start a service at system start that persists over logouts. Use the loginctl command to configure the systemd user service to persist after the last user session of the configured service closes. In the privileged user's terminal window, do the following:

# loginctl show-user webuser | grep ^Linger
Linger=no

# loginctl enable-linger webuser

# loginctl show-user webuser | grep ^Linger
Linger=yes

Return to the basic user's terminal window, and pull the container image for your application. For this example, I will use the httpd container image because it's easier to demonstrate:

$ podman pull docker.io/library/httpd
Trying to pull docker.io/library/httpd:latest...
Getting image source signatures
Copying blob 70698c657149 done  
Copying blob 00df85967755 done  
Copying blob 8b4456c99d44 done  
Copying blob ec2ee6bdcb58 done  
Copying blob 8740c948ffd4 done  
Copying config 6e794a4832 done  
Writing manifest to image destination
Storing signatures
6e794a4832588ca05865700da59a3d333e7daaaf0544619e7f326eed7e72c903

$ podman image ls
REPOSITORY               TAG         IMAGE ID      CREATED      SIZE
docker.io/library/httpd  latest      6e794a483258  2 weeks ago  149 MB

Run the container and mount an external volume in the system. If you've read my article on how to Create fast, easy, and repeatable containers with Podman and shell scripts (if you didn't, check it now), you're aware that I've already created this external volume with its contents in the /var/local/httpd/ directory:

$ ls /var/local/httpd/
index.html

$ cat /var/local/httpd/index.html
<html>
  <header>
    <title>Enable SysAdmin</title>
  </header>
  <body>
    <p>Hello World!</p>
  </body>
</html>

To make it easier (and since I'm a bit lazy), I will use the same content for this httpd container. Run it with Podman to check whether it works as intended:

$ podman run --name=httpd --hostname=httpd -p 8081:80 -v /var/local/httpd:/usr/local/apache2/htdocs:Z -d docker.io/library/httpd
f6f3d836bde9a75c6d745f481c8e83f8c7c342db2bbeac901347c535eaef03d9

$ podman ps
CONTAINER ID  IMAGE                           COMMAND           CREATED        STATUS            PORTS                 NAMES
f6f3d836bde9  docker.io/library/httpd:latest  httpd-foreground  5 seconds ago  Up 4 seconds ago  0.0.0.0:8081->80/tcp  httpd

$ curl -v http://localhost:8081
*   Trying 127.0.0.1:8081...
* Connected to localhost (127.0.0.1) port 8081 (#0)
> GET / HTTP/1.1
> Host: localhost:8081
> User-Agent: curl/7.82.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Wed, 01 Feb 2023 19:02:28 GMT
< Server: Apache/2.4.55 (Unix)
< Last-Modified: Fri, 07 Oct 2022 21:34:58 GMT
< ETag: "74-5ea7894e36d30"
< Accept-Ranges: bytes
< Content-Length: 116
< Content-Type: text/html
<
<html>
  <header>
    <title>Enable SysAdmin</title>
  </header>
  <body>
    <p>Hello World!</p>
  </body>
</html>
* Connection #0 to host localhost left intact

OK, it works. Stop the container:

$ podman stop httpd && podman rm -a && podman volume prune
httpd
f6f3d836bde9a75c6d745f481c8e83f8c7c342db2bbeac901347c535eaef03d9
WARNING! This will remove all volumes not used by at least one container. The following volumes will be removed:
No dangling volumes found

$ curl -v http://localhost:8081
*   Trying 127.0.0.1:8081...
* connect to 127.0.0.1 port 8081 failed: Connection refused
*   Trying ::1:8081...
* connect to ::1 port 8081 failed: Connection refused
* Failed to connect to localhost port 8081 after 1 ms: Connection refused
* Closing connection 0
curl: (7) Failed to connect to localhost port 8081 after 1 ms: Connection refused

The prerequisites are complete. It's time to move on to the next part.

[ Download now: A sysadmin's guide to Bash scripting. ]

Configure containers with systemd

First, start your container again with Podman:

$ podman run --name=httpd --hostname=httpd -p 8081:80 -v /var/local/httpd:/usr/local/apache2/htdocs:Z -d docker.io/library/httpd
16df315d3b23f41a70d1d3ffc11315c967cd213a107961df970327e85e62286f

$ podman ps
CONTAINER ID  IMAGE                           COMMAND           CREATED        STATUS            PORTS                 NAMES
16df315d3b23  docker.io/library/httpd:latest  httpd-foreground  4 seconds ago  Up 4 seconds ago  0.0.0.0:8081->80/tcp  httpd

If you are familiar with creating systemd service units, you can do it "handcrafted." But why trouble yourself? Use the power of Podman to do it for you. It looks like this:

$ podman generate systemd --new --files --name httpd
/home/webuser/container-httpd.service

$ ls
container-httpd.service

$ cat container-httpd.service
# container-httpd.service
# autogenerated by Podman 4.3.1
# Wed Feb  1 16:06:04 -03 2023

[Unit]
Description=Podman container-httpd.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=%t/containers

[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStartPre=/bin/rm \
	-f %t/%n.ctr-id
ExecStart=/usr/bin/podman run \
	--cidfile=%t/%n.ctr-id \
	--cgroups=no-conmon \
	--rm \
	--sdnotify=conmon \
	--replace \
	--name=httpd \
	--hostname=httpd \
	-p 8081:80 \
	-v /var/local/httpd:/usr/local/apache2/htdocs:Z \
	-d docker.io/library/httpd
ExecStop=/usr/bin/podman stop \
	--ignore -t 10 \
	--cidfile=%t/%n.ctr-id
ExecStopPost=/usr/bin/podman rm \
	-f \
	--ignore -t 10 \
	--cidfile=%t/%n.ctr-id
Type=notify
NotifyAccess=all

[Install]
WantedBy=default.target

Cool, isn't it? You can see all the parameters available with a command by running podman generate systemd --help.

Now that you've generated the systemd service file with Podman, you won't run it manually anymore. Stop it like this:

$ podman stop httpd && podman rm -a && podman volume prune
httpd
16df315d3b23f41a70d1d3ffc11315c967cd213a107961df970327e85e62286f
WARNING! This will remove all volumes not used by at least one container. The following volumes will be removed:
No dangling volumes found

The next step is to create a ~/.config/systemd/user/ directory to hold the container-httpd.service file and reload the systemd daemon. You could also use the /etc/systemd/system directory, but only a privileged user can copy the systemd service file to this directory. Here are the commands:

$ mkdir -p ~/.config/systemd/user/

$ cp -Z container-httpd.service ~/.config/systemd/user/

$ ls ~/.config/systemd/user/
container-httpd.service

$ systemctl --user daemon-reload

It's almost done. Start the container with systemctl using the newly created systemd service and check if it's working properly:

$ systemctl --user start container-httpd.service

$ systemctl --user status container-httpd.service
● container-httpd.service - Podman container-httpd.service
     Loaded: loaded (/home/webuser/.config/systemd/user/container-httpd.service; disabled; vendor preset: disabled)
     Active: active (running) since Wed 2023-02-01 16:11:28 -03; 1min 13s ago
       Docs: man:podman-generate-systemd(1)
    Process: 4564 ExecStartPre=/bin/rm -f /run/user/1001/container-httpd.service.ctr-id (code=exited, status=0/SUCCESS)
   Main PID: 4600 (conmon)
      Tasks: 14 (limit: 4649)
     Memory: 4.6M
        CPU: 139ms
     CGroup: /user.slice/user-1001.slice/user@1001.service/app.slice/container-httpd.service
             ├─ 4585 /usr/bin/slirp4netns --disable-host-loopback --mtu=65520 --enable-sandbox --enable-seccomp --enable-ipv6 -c -e 3 -r 4 --netns-t>
             ├─ 4587 rootlessport
             ├─ 4592 rootlessport-child
             └─ 4600 /usr/bin/conmon --api-version 1 -c 81b6c1c3125bd9a10ad3bb5f62534cc01caf6e070a948be6ce0afa924d1b2b1b -u 81b6c1c3125bd9a10ad3bb5f>

…output omitted…

It seems to be working. To prove that, check the running container with Podman and try to curl your application again:

$ podman ps
CONTAINER ID  IMAGE                           COMMAND           CREATED        STATUS            PORTS                 NAMES
81b6c1c3125b  docker.io/library/httpd:latest  httpd-foreground  2 minutes ago  Up 2 minutes ago  0.0.0.0:8081->80/tcp  httpd

$ curl -v http://localhost:8081
*   Trying 127.0.0.1:8081...
* Connected to localhost (127.0.0.1) port 8081 (#0)
> GET / HTTP/1.1
> Host: localhost:8081
> User-Agent: curl/7.82.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Wed, 01 Feb 2023 19:14:32 GMT
< Server: Apache/2.4.55 (Unix)
< Last-Modified: Fri, 07 Oct 2022 21:34:58 GMT
< ETag: "74-5ea7894e36d30"
< Accept-Ranges: bytes
< Content-Length: 116
< Content-Type: text/html
<
<html>
  <header>
    <title>Enable SysAdmin</title>
  </header>
  <body>
    <p>Hello World!</p>
  </body>
</html>
* Connection #0 to host localhost left intact

Bingo! You can now configure it to start and stop with your system by enabling it with systemctl:

$ systemctl --user enable container-httpd.service
Created symlink /home/webuser/.config/systemd/user/default.target.wants/container-httpd.service → /home/webuser/.config/systemd/user/container-httpd.service.

Put it to the test and reboot the system. If it's working correctly, when the system boots, the httpd container service should start using systemd. It should be active, enabled, and responsive. Confirm this with curl:

$ uptime
 16:16:47 up 36 min,  1 user,  load average: 0,00, 0,03, 0,16

# reboot

$ systemctl --user is-active container-httpd.service
active

$ systemctl --user is-enabled container-httpd.service
enabled

$ curl -v http://localhost:8081
*   Trying 127.0.0.1:8081...
* Connected to localhost (127.0.0.1) port 8081 (#0)
> GET / HTTP/1.1
> Host: localhost:8081
> User-Agent: curl/7.82.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Wed, 01 Feb 2023 19:20:18 GMT
< Server: Apache/2.4.55 (Unix)
< Last-Modified: Fri, 07 Oct 2022 21:34:58 GMT
< ETag: "74-5ea7894e36d30"
< Accept-Ranges: bytes
< Content-Length: 116
< Content-Type: text/html
<
<html>
  <header>
    <title>Enable SysAdmin</title>
  </header>
  <body>
    <p>Hello World!</p>
  </body>
</html>
* Connection #0 to host localhost left intact

$ podman ps
CONTAINER ID  IMAGE                           COMMAND           CREATED        STATUS            PORTS                 NAMES
c8a15a2853ac  docker.io/library/httpd:latest  httpd-foreground  3 minutes ago  Up 3 minutes ago  0.0.0.0:8081->80/tcp  httpd

It worked! You have a container configured with a web application running as if it were a standard systemd service. It remains persistent across reboots or terminal exits. The same procedure works for pods with a few minor changes, too.

But what if you no longer need that service? How do you remove its persistence? As a systemd service, you can stop and disable it like this:

$ systemctl --user stop container-httpd.service

$ podman ps
CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES

$ systemctl --user disable container-httpd.service
Removed /home/webuser/.config/systemd/user/default.target.wants/container-httpd.service.

As a final test, reboot the system again and ensure the application is not up:

$ uptime
 16:21:34 up 4 min,  1 user,  load average: 0,02, 0,10, 0,06

# reboot

$ uptime
 16:22:06 up 0 min,  1 user,  load average: 0,29, 0,06, 0,02

$ systemctl --user is-active container-httpd.service
inactive

$ systemctl --user is-enabled container-httpd.service
disabled

$ podman ps
CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES

$ curl -v http://localhost:8081
*   Trying 127.0.0.1:8081...
* connect to 127.0.0.1 port 8081 failed: Connection refused
*   Trying ::1:8081...
* connect to ::1 port 8081 failed: Connection refused
* Failed to connect to localhost port 8081 after 0 ms: Connection refused
* Closing connection 0
curl: (7) Failed to connect to localhost port 8081 after 0 ms: Connection refused

Gone with the wind! I hope I demonstrated clearly how the configuration and administration of persistent containers with systemd works.

I recommend you read these articles from my Enable Sysadmin colleagues that expand the ideas in this article:

• How to run pods as systemd services with Podman
• How to use auto-updates and rollbacks in Podman
• Mastering systemd: Securing and sandboxing applications and services
• Running containers with Podman and shareable systemd services

Wrap up

The powerful integration between Podman and systemd allows sysadmins to configure a container with a complete application solution that starts and stops automatically with the operating system.

Managing containers based on systemd units is mainly useful for basic and small deployments that do not need to scale. For more sophisticated scaling and orchestration of many container-based applications and services, consider an enterprise orchestration platform based on Kubernetes, such as Red Hat OpenShift Container Platform. I hope this article helps you understand this topic, supports your Linux certification path, and adds to your general sysadmin knowledge.