Linux

Podman is purposefully built to rely on systemd for running containers at startup. It ties in with the daemonless and rootless conventions. It's also nice because systemd is already highly integrated with the rest of the OS, so doing things like making a container start up after a drive is mounted is trivial.

Podman has a command to generate systemd files for your containers, which you can then use immediately or make some minor tweaks to your liking.

I use podman for my homelab and enjoy it. I like the extra security and that it relies on standard linux systems like systemd and user permissions. It forces me to learn more about linux and things that apply to more than just podman. You can avoid a lot of trouble by running the containers as root and using network=host, but that takes away security and the fun of learning.

Writing systemd services for your containers is something yoully have to get used to with podman, pretty much. It's actually very easy with the built in command "podman generate systemd", so you can just do something like " podman generate systemd --name my-container > /etc/systemd/system". I much prefer managing my containers with systemd over the docker daemon. It's nice!

Also, podman can use privileged ports as root, right?

minor issue: it’s podman-compose instead of podman compose. The hyphen feels like a step back because we moved from docker-compose to docker compose. But thT’s not a real issue.

podman does not autostart containers after boot. You have to manually start them, or write a start script. Or create a systemd unit for each of them.

I'm also currently migrating all of my self-hosted services from docker to podman. Look into using Quadlet and systemd rather than podman-compose: https://www.redhat.com/sysadmin/quadlet-podman

Your Quadlet .container files will end up looking very similar to your docker compose files. Podman will automatically generate a systemd service unit for you if you drop the .container file in your user systemd unit directory ($HOME/.config/containers/systemd/) and run systemctl --user daemon-reload. Then starting the container on boot is as simple as systemctl --user enable --now containername.service.

This will not solve your rootful vs. rootless issues, as others have pointed out, but Quadlet/systemd is nice replacement for the service/container management layer instead of docker-compose/podman-compose

podman does not autostart containers after boot. You have to manually start them, or write a start script. Or create a systemd unit for each of them.

I have not yet tried podman, but I know that podman-compose used to have an option to generate systemd units for your pods: https://docs.podman.io/en/latest/markdown/podman-generate-systemd.1.html

Still, that option has been deprecated in favour of Podman Quadlet https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html

For the port thing, you can set the net.ipv4.ip_unprivileged_port_start sysctl to a lower value like 80 (may need to go lower if you also do email). It also applies to IPv6.

The default of 1024 is for security, but the actual security granted by it is not really that relevant nowadays. It stems from a time where ports < 1024 were used by machines to trust other machines using stuff like rsh & telnet, and before we considered man-in-the-middle attacks to be practical and relevant. Around the start of this millennium, we learned better. Nowadays we use SSH and everything is encrypted & authenticated.

The only particularly relevant risk is that if you lower it enough to also include SSH's default port 22, some rogue process at startup might make a fake SSH server. That would come along with the scary version of the "host key changed" banner so the risk is not that high. Not very relevant if you're following proper SSH security practices.

it’s podman-compose instead of podman compose

Don't use it, it's not a full replacement. The script is barely maintained and not really "official".

I think before switching from Docker to Podman you should first get proficient in Docker, because Podman is not for beginners (yet).

You can make actual docker compose use podman by running a user podman docker socket and setting that as an environment variable (export DOCKER_HOST=unix:///run/user/$UID/podman/podman.sock)

https://brandonrozek.com/blog/rootless-docker-compose-podman/

Podman isn't a replacement for docker. Its very similar syntax wise but its not a replacement.

The only thing I use podman for is Jellyfin and distrobox

For the low-port issue, maybe try something like how K8S tends to handle it:

• One container that is either rootful or allowed to use low ports. Run a reverse proxy like HAProxy or Envoy in this.
• All other containers for services, run on high ports, pointing to them in the reverse proxy container's config.
• Don't use bare http, unless required. Getting valid TLS certs is dead easy and free with LetsEncrypt.

The only reasons I ever use podman is that is efficient with resources, and at work we can't use Docker due to licensing purposes.

Why do you believe podman is more secure than root-less Docker? Please educate me.

I run root-ful and root-less Docker daemons at the same time on the same machine because there are limitations to what you can do without as root privileges. So where possible, containers run in root-less Docker and the lucky few that require root privileges run in root-ful Docker.

podman does not autostart containers after boot.

Does docker do this? I wrote a systemd unit for my docker container because I thought that there is no way for docker to autostart containers?

Podman compose isn't really usable for me