Recommended approach for rootless podman-container with custom users?

TornaxO7 · January 29, 2026, 2:16pm

I’m trying to create a rootless podman container with the following module:

{ root-domain, ... }:
let
  domain = root-domain;
in
{
  users = {
    users.website = {
      isSystemUser = true;
      home = "/var/lib/website/public";
      createHome = true;
      linger = true;
      group = "website";
    };

    groups.website = { };
  };

  virtualisation.oci-containers.containers.website = {
    image = "joseluisq/static-web-server:latest";

    podman.user = "website";

    volumes = [
      "/var/lib/website/public:/public:ro"
    ];

    labels = {
      "traefik.enable" = "true";
      "traefik.http.routers.website.rule" = "Host(`${domain}`)";
      "traefik.http.routers.website.service" = "website";
      "traefik.http.services.website.loadbalancer.server.port" = "80";
    };
  };
}

But if I execute nixos-rebuild build, I’m getting the following warning:

trace: evaluation warning: Podman container website is configured as rootless (user website)
with `--sdnotify=conmon`, but lingering for this user is turned on.

What is the recommended way to fix that?

Shawn8901 · January 29, 2026, 2:21pm

Not an expert here, but often it’s worth to check the code

The warning is raised here nixpkgs/nixos/modules/virtualisation/oci-containers.nix at bfc1b8a4574108ceef22f02bafcf6611380c100d · NixOS/nixpkgs · GitHub

So the option in question is users.users.<name>.linger as far as I can see.

In your code you explicitly set linger to true, the module does not like that.

TornaxO7 · January 29, 2026, 2:22pm

Yes, but if I’m understanding it correctly, I do require linger = true because otherwise a session wouldn’t be started during boot for the user, which also means that the container wouldn’t be able to do so.

Shawn8901 · January 29, 2026, 2:25pm

Might worth to cross-check the blame of the code in question, maybe the PR adding that check give additional context.

Please choose the right branch for your channel, otherwise the code might be not up2date

TornaxO7 · January 29, 2026, 2:28pm

Please choose the right branch for your channel, otherwise the code might be not up2date

What do you mean with “channel”?

NobbZ · January 29, 2026, 2:58pm

The release channel you use to build your system from, be it nixos-25.05, nixos-25.11, nixos-unstable or whatever else.

TornaxO7 · January 29, 2026, 2:59pm

oh. Well then: I’m using nixos-25.11

NobbZ · January 29, 2026, 3:18pm

25.11 has this:

github.com/NixOS/nixpkgs

nixos/modules/virtualisation/oci-containers.nix

fa83fd837


      
          ++ lib.optional (podman.user != "root" && linger && podman.sdnotify == "conmon") ''
            Podman container ${name} is configured as rootless (user ${podman.user})
            with `--sdnotify=conmon`, but lingering for this user is turned on.
          ''

on unstable this got removed in 2bf57f021280

You can try to use the unstable module, or a vendored stable version that has only the relevant changes. Alternatively you can change to unstable.