Docker is the past for containers. Even if client "docker" can run as rootless (without root privileges) on host (laptop), but its engine "dockerd" MUST be run as ROOT on the host (dangerous).
The future for managing containers (builds + runs + distributes etc) is "podman". BOTH its engine and container builder (run/build/delete/commit/ etc) runs rootLESS, so better protection.
The drill is similar like:
1. grab an image (already build for you by others, even signed) from dedicated servers (named repository).
-- or you can build yourself from pieces, the same like Tinyocre core.gz is done.
-- FYI: the image could be just a tarball, what matters is to have inside the root files (like root.gz) AND the package manager (like tce-load).
2. the container is then build from this image as a base + extra layers (you add using the package manager, for example). All is automatically, next to nothing to learn (joke of course).
Example-1: run a busybox (dynamically linked to libc) in a container.
so, one command to "download" a rootfs one time only (because will be cached on host) and auto-open a terminal with busybox 1.37
podman run -rm -it docker.io/busybox
Example-2: run dillo (dynamically linked to musl) in a container.
two command only, one to download an already build minimal Alpine-Linux with its apk (package manager), and a second command from inside the container, to run dillo, its GUI will be seen on host.
podman run --rm -it -e DISPLAY -v $XAUTHORITY:/root/.Xauthority:ro -v /tmp/.X11-unix:/tmp/.X11-unix:ro --net=host docker.io/alpine
(from container): apk add dillo & dillo
FYI:
"-rm" means remove container (but keep it basic image) so you loose "dillo and its dependency" but start fresh next time;
"-it" means open a terminal with a shell
"apk add dillo", is like tce-load -iw dillo.tcz
The great thing is that you can SAVE what you already build as a NEW image, and next time you continue to build over this "layer". Example: in the container with dillo you can add "netsurf" without downloading initial Apline and without adding dillo, because all is cached locally, layered.
So basically you can run in parallel many containers: one with just dillo inside, other with just GCC (tools for compile anything), or even a full OS inside container. All container are isolated between them and between host by default. But of course you can mount some "volumes" (basicaly host folder) to output what you created inside the container.
Enjoy podman (= Pod Manager, with pod = groups of containers, and container = image + layers like Qemu QCOW).
Welcome
FAQ
Downloads
Wiki
