A collection of Podman my rootless container stacks, tested and running on Ubuntu 26.04 with Podman 5.7.0, with optional security additions that do not break the container.
All services use Quadlet files (~/.config/containers/systemd/) so they integrate natively with systemd and start automatically under your user.
Please visit the individual Github repos to find out more about how to configure them, recent changes and issues, and to give them stars.
- Rootless by default – every container runs without any root privileges, even during setup.
- Arguably safer than Docker – Podman’s daemonless architecture and user‑namespace isolation reduce the attack surface. No privileged
dockerdsocket, no “root equivalent” container escapes. - Quadlet for systemd – no need for
podman-compose; just drop a.containerfile and enable withsystemctl --user. - Podman is gaining traction, and rootless mode is finally production‑ready for most workloads.
- There are good arguments on both sides for rootless vs. rootful mode. I am not advocating one position over the other. I offered these rootless Podmans for those interested in exploring rootless, as I have spent many hours ironing out the network and user id issues that come with rootless.
Each directory below contains a Quadlet .container file and optional notes.
- Hardening options (like
no-new-privileges,read-onlyrootfs,security-opt) are commented out by default – uncomment what you need. - Temporary drives (
tmpfs,:Zvolume flags) are also commented out for clarity but should be strongly considered with containers with frequent HDD/SSD read/writes and must be uncommented if usingReadOnly.
sudo apt update
sudo apt install podman
No Docker or docker-compose needed. Podman includes all the tools.
This allows your user’s systemd session to run even when you are not logged in, so containers start automatically at system boot.
sudo loginctl enable-linger $USER
Verify with loginctl show-user $USER | grep Linger – should show Linger=yes.
This repo uses separate .env files for secrets (passwords, API keys). Never commit the real .env files — only the .env.example templates are stored here.
After you copy an .env.example to .env and fill it in, lock it down immediately so that if a container is compromised, the secrets remain unreadable:
sudo chmod 600 ~/.config/containers/systemd/*.env
This ensures only your user can read the files — not the container’s processes, and not other users on the system.
mkdir -p ~/.config/containers/systemd
If the directory already exists, that’s fine.
Navigate to the service directory you want, then copy the .container file:
cp ~/rootless-podman-quadlets/vert/vert.container ~/.config/containers/systemd/
Edit the file with nano (without sudo – it’s your user dir):
nano ~/.config/containers/systemd/vert.container
Adjust volumes, environment variables, or uncomment hardening options as needed.
Quadlet automatically creates a systemd service from the .container file:
systemctl --user daemon-reload
Then pull the image (optional but gives you immediate feedback):
podman pull <image-name>
# or let systemd pull it on start
systemctl --user start vert
Check status:
systemctl --user status vert
podman ps
The service will survive reboots and log to the journal (journalctl --user -u vert or podman logs vert).
Your persistent data lives in the volumes you defined (e.g., ~/containers/vert/).
To back up a container’s state:
podman stop vert
tar -czf vert ~/containers/vert/
The Quadlet file itself is your “infrastructure as code” – keep it safe in this git repo.
systemctl --usercommands fail withFailed to connect to bus
Make sure your user session is runningsystemd --user. Usually it’s automatic on login, but if not:systemctl --user start default.target.- Linger is not enabled / containers don’t start at boot
Runsudo loginctl enable-linger $USERto allow the user manager to run at boot without a login. This is mandatory for unattended servers. - Ports below 1024
Rootless Podman can’t bind to privileged ports by default. Addnet.ipv4.ip_unprivileged_port_start=80to/etc/sysctl.d/99-rootless.confand reboot, or use a high port with a reverse proxy. WARN[0000] Failed to load cached network config
Harmless; happens when networks are recreated. Ignore unless connectivity breaks.
These configurations were tested on Ubuntu 26.04 with Podman 5.7.0 (apt installed) on an Intel NUC 13i7 with 64 gb memory and a 2 tb NVME SSD. They should work on any recent systemd distro with a Podman version ≥ 4.4, but your mileage may vary.