Rootless podman on Debian Bullseye

My home server already uses LXC-containers. I use them to keep services isolated, so that I can upgrade my mail server without causing issues to my Nextcloud setup. But these containers contain a full OS inside them. And while this works, it's a bit of work to upgrade a handful of containers every few months. Docker-style containers should be a better fit for this single-service-per-container setup.

After reading up a bit, I decided to go for podman. I was mostly convinced by the ability to run rootless, but it seems Docker is getting that as well.

Rootless networking

In my LXC setup, every container gets its own veth-based network interface. On the host, these veth-interfaces are bridged together with the physical network card. That way, every container gets its own MAC and IP(v6) address.

But since we're running as a normal user, podman can't create a veth-pair. It was very interesting to learn (how podman solved this)slirp4netns with some netns and tap magic!

The result isn't exactly equivalent to what I had on the LXC-side: the containers do have their own IP, but it's not exposed to the outside world. I found (a mailing list post describing how to roll my own)manual-netns, but I haven't figured out yet how to combine this with DHCP...

Compose

Podman has its own docker-compose equivalent. Unsurprisingly, it's called podman-compose, but is otherwise very similar.

I didn't find a ready-made way to auto-start a service, so I rolled my own systemd service which I put in ~/.config/systemd/user/podman-compose.service:

[Unit]
Description=Rootless pod (podman-compose)

[Service]
Type=oneshot
RemainAfterExit=true
WorkingDirectory=%h
ExecStart=/usr/local/bin/podman-compose up -d --remove-orphans
ExecStop=/usr/local/bin/podman-compose down

[Install]
WantedBy=default.target

This will run compose.yaml from the home directory of the user.