feat: add support for user units

Feature: The role can manage user units in addition to system units.  Each item
in each input list can be a string or a `dict` consisting of the item
(file, template, or unit), a user name, and a state (for files and templates).
The role will not create users and will give an error if a non-existent user
is specified.

Reason: The role should allow management of user units.

Result: The role can manage user units.

Signed-off-by: Rich Megginson <rmeggins@redhat.com>

Author: richm

README.md

@@ -24,6 +24,23 @@ ansible-galaxy collection install -vv -r meta/collection-requirements.yml
 
 List of variables consumed by the role follows, note that none of them is mandatory.
 
+Each of the variables can either be a list of strings, or a list of `dicts`.
+
+The list of strings form assumes that the items to be managed are system units
+owned by `root`, and for files, assumes that the files should be `present`.
+
+The list of `dict` form looks like this:
+
+```yaml
+systemd_unit_files:
+  - item: some.service
+    user: my_user
+    state: [present|absent]
+```
+
+Use the `dict` form to manage user units, and to remove unit files.  If using
+user units, the role will manage lingering for those users.
+
 ### systemd_unit_files
 
 List of systemd unit file names that should be deployed to managed nodes.
@@ -79,7 +96,7 @@ List of unit files that shall be unmasked via systemd.
 
 This variable is used to handle reboots required by transactional updates. If a transactional update requires a reboot, the role will proceed with the reboot if systemd_transactional_update_reboot_ok is set to true. If set to false, the role will notify the user that a reboot is required, allowing for custom handling of the reboot requirement. If this variable is not set, the role will fail to ensure the reboot requirement is not overlooked.
 
-Example of setting the variables:
+Example of setting the variables for the simple list of strings format:
 
 ```yaml
 systemd_unit_files:
@@ -96,12 +113,49 @@ systemd_enabled_units:
   - bar.service
 ```
 
+Example of setting the variables for the list of `dict` format:
+
+```yaml
+systemd_unit_files:
+  - item: foo.service
+    user: root
+    state: present
+  - item: bar.service
+    user: my_user
+    state: absent
+systemd_dropins:
+  - item: cups.service.conf.j2
+    user: root
+    state: present
+  - item: avahi-daemon.service.conf.j2
+    user: my_user
+    state: absent
+systemd_started_units:
+  - item: foo.service
+    user: root
+  - item: bar.service
+    user: my_user
+systemd_enabled_units:
+  - item: foo.service
+    user: root
+  - item: bar.service
+    user: my_user
+```
+
 ## Variables Exported by the Role
 
 ### `systemd_units`
 
-Variable shall contain a list of dictionaries where each entry describes state of one systemd unit
-present on the managed host.
+The variable is a `dict`.  Each key is the name of a systemd unit.  Each value
+is a dict with fields that describe the state of that systemd unit present on
+the managed host for the system scope.
+
+### `systemd_units_user`
+
+Variable shall contain a dict.  Each key is the name of a user given in one of
+the lists passed to the role, and `root` (even if `root` is not given).  Each
+value is a dict of systemd units for that user, or system units for `root`, in
+the format of `systemd_units` above.
 
 ## Example Playbook
 
@@ -112,7 +166,10 @@ present on the managed host.
     systemd_unit_file_templates:
       - foo.service.j2
     systemd_started_units:
-      - foo.service
+      - item: foo.service
+        user: root
+      - item: bar.service
+        user: my_user
     systemd_enabled_units:
       - foo.service
   roles:
@@ -130,3 +187,4 @@ MIT
 ## Author
 
 Michal Sekletar <msekleta@redhat.com>
+Rich Megginson <rmeggins@redhat.com>

tasks/cancel_linger.yml

@@ -0,0 +1,18 @@
+# SPDX-License-Identifier: MIT
+# Inputs:
+#   __systemd_user_info
+---
+- name: Check if linger for users can be cancelled
+  vars:
+    __systemd_linger_users: "{{ __systemd_user_info | dict2items |
+      rejectattr('key', 'match', '^root$') | list }}"
+  when: __systemd_linger_users | length > 0
+  block:
+    - name: Cancel linger for given user
+      include_tasks: cancel_linger_for_user.yml
+      vars:
+        __systemd_linger_data: "{{ __systemd_linger_user_data.value }}"
+        __systemd_linger_user: "{{ __systemd_linger_user_data.key }}"
+      loop: "{{ __systemd_linger_users }}"
+      loop_control:
+        loop_var: __systemd_linger_user_data

tasks/cancel_linger_for_user.yml

@@ -0,0 +1,53 @@
+# SPDX-License-Identifier: MIT
+# Inputs:
+#   __systemd_linger_user_data
+---
+- name: Get unit files for user
+  find:
+    path: "{{ __systemd_linger_data['units_dir'] }}"
+  register: __systemd_find
+
+- name: Cancel linger if no files
+  command: loginctl disable-linger {{ __systemd_linger_user | quote }}
+  changed_when: true
+  register: __systemd_cancel_linger
+  when: __systemd_find.matched == 0
+  args:
+    removes: /var/lib/systemd/linger/{{ __systemd_linger_user }}
+
+- name: Wait for user session to exit closing state  # noqa no-handler
+  command: loginctl show-user --value -p State {{ __systemd_linger_user | quote }}
+  register: __systemd_user_state
+  changed_when: false
+  until: __systemd_user_state.stdout != "closing"
+  when: __systemd_cancel_linger is changed
+  ignore_errors: true
+
+# see https://github.com/systemd/systemd/issues/26744#issuecomment-2261509208
+- name: Handle user stuck in closing state
+  vars:
+    __pat: "Failed to get user: User ID .* is not logged in or lingering"
+  when:
+    - __systemd_cancel_linger is changed
+    - __systemd_user_state is failed
+    - not __systemd_user_state.stderr is match(__pat)
+  block:
+    - name: Stop logind
+      service:
+        name: systemd-logind
+        state: stopped
+
+    - name: Wait for user session to exit closing state
+      command: loginctl show-user --value -p State {{ __systemd_linger_user | quote }}
+      changed_when: false
+      register: __systemd_user_state
+      until: __systemd_user_state.stderr is match(__pat) or
+        __systemd_user_state.stdout != "closing"
+      failed_when:
+        - not __systemd_user_state.stderr is match(__pat)
+        - __systemd_user_state.stdout == "closing"
+
+    - name: Restart logind
+      service:
+        name: systemd-logind
+        state: started

tasks/main.yml

@@ -133,3 +133,6 @@
   set_fact:
     systemd_units: "{{ ansible_facts['systemd_units']
       if 'systemd_units' in ansible_facts else {} }}"
+
+- name: Cancel linger for users if necessary
+  include_tasks: cancel_linger.yml

tasks/manage_unit_files.yml

@@ -79,3 +79,19 @@
             owner: "{{ item.user }}"  # only needed for daemon_reload which happens later
           loop: "{{ __systemd_absent }}"
           register: __systemd_unit_files_absent_result
+
+        - name: Find files in dropins directory
+          find:
+            path: "{{ __path }}"
+          loop: "{{ __systemd_absent }}"
+          when: __systemd_list_name == "systemd_dropins"
+          register: __systemd_find
+
+        - name: Remove dropin directory if no more files
+          file:
+            path: "{{ item['invocation']['module_args']['path'] }}"
+            state: absent
+          loop: "{{ __systemd_find.results | d([]) }}"
+          when:
+            - __systemd_list_name == "systemd_dropins"
+            - item.matched == 0

tests/tests_user_units.yml

@@ -223,6 +223,13 @@
               {{ '.'.join(__dest.split('.')[:-1]) }}.d/\
               99-override.conf"
 
+        - name: Verify no lingering
+          stat:
+            path: /var/lib/systemd/linger/{{ item.name }}
+          register: __stat
+          failed_when: __stat.stat.exists
+          loop: "{{ __users }}"
+
       rescue:
         - name: Get journald information
           command: journalctl -ex