PodMan, the future for rootless containers

[nick65go]

Docker is the past for containers. Even if client "docker" can run as rootless (without root privileges) on host (laptop), but its engine "dockerd" MUST be run as ROOT on the host (dangerous).

The future for managing containers (builds + runs + distributes etc) is "podman". BOTH its engine and container builder (run/build/delete/commit/ etc) runs rootLESS, so better protection.
The drill is similar like:
1. grab an image (already build for you by others, even signed) from dedicated servers (named repository).
 -- or you can build yourself from pieces, the same like Tinyocre core.gz is done.
 -- FYI: the image could be just a tarball, what matters is to have inside the root files (like root.gz) AND the package manager (like tce-load).

2. the container is then build from this image as a base + extra layers (you add using the package manager, for example). All is automatically, next to nothing to learn (joke of course).

Example-1: run a busybox (dynamically linked to libc) in a container.
so, one command to "download" a rootfs one time only (because will be cached on host) and auto-open a terminal with busybox 1.37

Code: [Select]

podman run -rm -it docker.io/busybox
Example-2: run dillo (dynamically linked to musl) in a container.
two command only, one to download an already build minimal Alpine-Linux with its apk (package manager), and a second command from inside the container, to run dillo, its GUI will be seen on host.

Code: [Select]

podman run --rm -it -e DISPLAY -v $XAUTHORITY:/root/.Xauthority:ro -v /tmp/.X11-unix:/tmp/.X11-unix:ro --net=host docker.io/alpine
(from container): apk add dillo & dillo
FYI:
 "-rm" means remove container (but keep it basic image) so you loose "dillo and its dependency" but start fresh next time;
 "-it" means open a terminal with a shell
 "apk add dillo", is like tce-load -iw dillo.tcz

The great thing is that you can SAVE what you already build as a NEW image, and next time you continue to build over this "layer". Example: in the container with dillo you can add "netsurf" without downloading initial Apline and without adding dillo, because all is cached locally, layered.

So basically you can run in parallel many containers: one with just dillo inside, other with just GCC (tools for compile anything), or even a full OS inside container. All container are isolated between them and between host by default. But of course you can mount some "volumes" (basicaly host folder) to output what you created inside the container.

Enjoy podman (= Pod Manager, with pod = groups of containers, and container = image + layers like Qemu QCOW).

[nick65go]

As this forum is for TC users, I did not touch Podman capabilities like system-d, SELinux, kubernets, podman GUI, etc

But podman has a very comprehensive documentation and tutorials, and man pages etc.
https://docs.podman.io/en/latest/
https://docs.podman.io/en/latest/markdown/podman-run.1.html
https://github.com/containers/podman

FYI: a lot of (bullshit) marketing, but very strong points about Podman versus Docker
https://www.redhat.com/en/topics/containers/what-is-podman

"you can also take advantage of Podman Desktop, a graphical user interface (GUI) for using Podman in local environments,
 - optionaly, Podman launches each container with a Security-Enhanced Linux (SELinux) label...
 - Users can easily switch between them by aliasing Docker to Podman (alias docker=podman) and vice versa. -easy learning curve
- using Docker during the development stage and transferring their program to Podman in runtime environments 
- Podman is best suited for developers running containers without Kubernetes..."

[gadget42]

i found this webpage interesting and it does reference gitlab but doesn't reference shithub:

https://bluelight.co/blog/how-to-choose-a-container-registry

https://hjgit.org/static/guide.html

https://shithub.us/

20250929-0050am-cdt-usa-modified: adding *no affiliation(s) with _any_ of the above*