Podman

Is a container runtime that allows for running containers without root access.

Creating systemd units for podman containers

Use podman generate systemd to generate systemd unit files for containers. In all below commands, the unit file is just sent to stdout.

• Unit file that starts/stops a container: podman start on unit start, and podman stop on unit stop.

  podman generate systemd --name <container>
  

• Unit file that creates/removes a container: podman run on unit start, and podman stop; podman rm on unit stop.

  podman generate systemd --new --name <container>
  

Auto-updating containers

Podman can auto-update containers when the image on the registry changes:

1. Add the following when creating the container

   --label "io.containers.autoupdate=image"
   

2. Manage the container with a systemd unit created with --new.

The container should now auto-update whenever it is restarted.

Source

Using docker-compose files

Normal docker-compose actually works with podman but requires some setup. Instead, there is: GitHub - containers/podman-compose: a script to run docker-compose.yml using podman

Volumes under SELinux

SELinux is (as usual) pretty annoying. It won’t let you access any volume, unless it is mounted with the :z volume option. Like this:

podman run ... -v host_name:container_name:z

This will allow any container to access the directory. You can also use the :Z (capital Z) volume option to allow only this container to access it.

References

• Containers, volumes and file permissions – Ice and Fire – by J‑C Berthon
• Podman volumes and SELinux | Just another Linux geek