Podman

Podman rootless containers, pod management, and systemd integration.

Rootless Container Basics

Run containers without root

podman run -d --name webserver -p 8080:80 nginx:1.25-alpine
podman run --rm -it alpine:3.19 sh
podman run -v "$(pwd)":/app:Z -w /app node:20 npm test   # :Z for SELinux relabel

Podman is daemonless. Each container runs as a direct child process. No daemon means no single point of failure.

Container lifecycle

podman ps -a                           # list all containers
podman stop webserver
podman rm webserver
podman rm -af                          # remove all containers (force)

Image Management

Pull, build, list images

podman pull docker.io/library/nginx:1.25-alpine     # explicit registry
podman build -t myapp:v1.0 .
podman images
podman rmi myapp:v1.0

Inspect image layers

podman inspect nginx:1.25-alpine --format '{{.Config.Cmd}}'
podman image tree nginx:1.25-alpine    # show layer hierarchy
podman history nginx:1.25-alpine       # layer-by-layer build history

Exec and Logs

Debug running containers

podman exec -it webserver sh
podman logs -f --tail 100 webserver
podman logs --since 5m webserver

Pods

Multi-container pods (like Kubernetes)

podman pod create --name mypod -p 8080:80
podman run -d --pod mypod --name web nginx:1.25-alpine
podman run -d --pod mypod --name sidecar busybox sleep 3600
podman pod ps                          # list pods
podman pod stop mypod
podman pod rm mypod

Podman pods share network namespace, just like Kubernetes pods. Containers in the same pod communicate over localhost.

Systemd Integration

Generate systemd unit files from running containers

podman generate systemd --new --name webserver > ~/.config/systemd/user/webserver.service
systemctl --user daemon-reload
systemctl --user enable --now webserver.service
systemctl --user status webserver.service

Quadlet files (Podman 4.4+, preferred over generate systemd)

# Place .container files in ~/.config/containers/systemd/
# Podman auto-generates systemd units from these
systemctl --user daemon-reload
systemctl --user start webserver       # name from .container filename

Volumes and Networking

Named volumes

podman volume create appdata
podman run -d -v appdata:/data myapp
podman volume ls
podman volume inspect appdata

Networking

podman network create app-net
podman network ls
podman run -d --network app-net --name svc myapp
podman network inspect app-net

Cleanup

Prune unused resources

podman system prune -af                # remove all unused containers + images
podman system df                       # show disk usage
podman volume prune                    # remove unused volumes

Docker Compatibility

Podman as Docker drop-in

alias docker=podman                    # most Docker commands work as-is
podman-compose up -d                   # compose support via podman-compose
podman system service --time=0 &       # start API socket for Docker-compatible tools