TL;DR
Podman is a daemonless, rootless container engine that provides a Docker-compatible CLI without requiring a persistent background daemon. Developed by Red Hat, Podman runs containers as regular user processes using user namespaces, dramatically reducing the attack surface compared to Docker. Podman natively supports pods (groups of containers sharing namespaces), can generate and consume Kubernetes YAML, integrates with systemd via Quadlet for production services, and uses Buildah for OCI-compliant image building. In 2026, Podman 5.x is the default container runtime on Fedora, RHEL, and CentOS Stream, and Podman Desktop provides a cross-platform GUI. For teams prioritizing security, Kubernetes alignment, and daemon-free operation, Podman is the leading container engine.
Key Takeaways
- Podman is daemonless β no root daemon process, containers run as child processes of the user
- Rootless containers use user namespaces for superior security without requiring root privileges
- Docker-compatible CLI β alias docker=podman works for most workflows
- Native pod support groups containers sharing network and IPC namespaces, matching Kubernetes pod concepts
- podman generate kube and podman play kube bridge local development to Kubernetes deployment
- Systemd integration via Quadlet turns containers into native Linux services with auto-update capabilities
Podman (Pod Manager) is an open-source container engine developed by Red Hat that has become the default container tool on RHEL, Fedora, and CentOS Stream. Unlike Docker, Podman operates without a central daemon process β each container runs as a direct child process of the user who started it. This architecture eliminates the single-point-of-failure daemon and enables true rootless container execution. With over 25,000 GitHub stars, a Docker-compatible CLI, native pod support, and deep Kubernetes integration, Podman has matured into a production-grade container platform. This guide covers everything from installation to production deployment.
What Is Podman and Why Daemonless Containers Matter
Podman is an OCI-compliant container engine that manages containers, pods, and images. The critical difference from Docker is architecture: Docker uses a client-server model where the Docker CLI communicates with a long-running dockerd daemon (typically running as root). Podman eliminates this daemon entirely β when you run podman run, the container process is forked directly as a child process.
This daemonless design has profound security implications. There is no privileged daemon that, if compromised, grants root access to the host. Containers are isolated within the user's process tree. There is no single point of failure β one crashing container cannot bring down a daemon that manages all others.
- No daemon β containers are forked as direct child processes
- Rootless by default via user namespaces
- Docker-compatible CLI β drop-in replacement
- Native pod concept β shared network/IPC/PID namespaces
- Kubernetes YAML generation and consumption
- Buildah integration for OCI image building
- Systemd Quadlet integration for production services
Podman vs Docker vs containerd vs nerdctl
Understanding the container tool landscape helps you choose the right engine for your infrastructure.
| Feature | Podman | Docker | containerd | nerdctl |
|---|---|---|---|---|
| Daemon required | No (daemonless) | Yes (dockerd) | Yes (containerd) | Uses containerd |
| Rootless support | Native (default) | Experimental | Via rootlesskit | Via rootlesskit |
| CLI compatibility | Docker-compatible | docker CLI | ctr (low-level) | Docker-compatible |
| Pod support | Native pods | No | No | No |
| K8s YAML generation | generate/play kube | No | No | No |
| Compose support | podman-compose / docker-compose | docker compose (built-in) | No | nerdctl compose |
| Image building | Buildah (integrated) | BuildKit (built-in) | No (needs buildkit) | BuildKit |
| Systemd integration | Quadlet (native) | Manual unit files | Manual | Manual |
| Desktop GUI | Podman Desktop | Docker Desktop | No | No |
| License | Apache 2.0 | Apache 2.0 (Engine) | Apache 2.0 | Apache 2.0 |
Installation
Podman is available on all major platforms and pre-installed on Fedora, RHEL 8+, and CentOS Stream.
Fedora / RHEL / CentOS
# Pre-installed on Fedora/RHEL 8+/CentOS Stream
podman --version
# If not installed
sudo dnf install -y podman podman-compose buildah skopeoUbuntu / Debian
# Ubuntu 22.04+ / Debian 12+
sudo apt update && sudo apt install -y podman
# For older Ubuntu, add the Kubic repository
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.opensuse.org/repositories/\
devel:kubic:libcontainers:unstable/xUbuntu_22.04/Release.key \
| gpg --dearmor | sudo tee /etc/apt/keyrings/devel_kubic.gpg > /dev/null
sudo apt update && sudo apt install -y podmanmacOS (Homebrew)
# Install Podman via Homebrew
brew install podman
# Initialize and start the Linux VM
podman machine init
podman machine start
# Verify installation
podman info
podman run hello-world
# Optional: Install Podman Desktop GUI
brew install --cask podman-desktopWindows
# Install via winget
winget install RedHat.Podman
# Initialize and start the machine
podman machine init
podman machine start
# Install Podman Desktop
winget install RedHat.Podman-DesktopPodman Basics: Docker-Compatible CLI
Podman intentionally mirrors Docker's CLI. If you know Docker, you already know Podman. You can even alias docker=podman.
Running Containers
# Run a container (identical to Docker syntax)
podman run -d --name webserver -p 8080:80 nginx:alpine
# Run interactively
podman run -it --rm ubuntu:24.04 bash
# With environment variables and volume
podman run -d --name postgres \
-e POSTGRES_PASSWORD=secret \
-e POSTGRES_DB=myapp \
-v pgdata:/var/lib/postgresql/data \
-p 5432:5432 \
postgres:16-alpine
# With resource limits
podman run -d --name app \
--memory=512m --cpus=1.5 \
--restart=always \
myapp:latestManaging Containers and Images
# Container management
podman ps # list running
podman ps -a # list all
podman stop/start/restart webserver
podman logs -f webserver # follow logs
podman exec -it webserver sh # shell into container
podman inspect webserver
podman rm -f webserver
podman container prune
# Image management
podman pull docker.io/library/nginx:alpine
podman images
podman search nginx
podman tag nginx:alpine myregistry.io/nginx:v1
podman push myregistry.io/nginx:v1
podman rmi nginx:alpine
podman image prune -aRootless Containers: Security Without Root
Rootless containers are Podman's flagship feature. They run entirely without root privileges using Linux user namespaces. The container sees itself as root (UID 0) inside, but on the host it maps to an unprivileged user ID.
Even if an attacker escapes the container, they land as an unprivileged user β not root. Combined with SELinux, seccomp, and capabilities dropping, rootless Podman provides defense in depth.
# Verify rootless setup
podman unshare cat /proc/self/uid_map
# Check subuid/subgid allocation
cat /etc/subuid # username:100000:65536
cat /etc/subgid # username:100000:65536
# If missing, add entries
sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER
podman system migrate
# User namespace mapping:
# Host UID 1000 -> Container UID 0 (root)
# Host UID 100000 -> Container UID 1
# Host UID 165535 -> Container UID 65536
# Verify: container sees root, host sees your UID
podman run --rm alpine id # uid=0(root)
podman top <ctr> user huser # root -> 1000Podman Compose vs Docker Compose
Podman supports two Compose approaches: podman-compose (standalone Python tool) or Docker Compose v2 via Podman's compatibility socket.
# Option 1: Install and use podman-compose
pip install podman-compose
podman-compose up -d
podman-compose logs -f
podman-compose down
# Option 2: Use docker-compose with Podman socket
systemctl --user enable --now podman.socket
export DOCKER_HOST=unix:///run/user/\$(id -u)/podman/podman.sock
# Now docker-compose works with Podman backend
docker-compose up -d
docker-compose ps
docker-compose down# docker-compose.yml (works with both)
version: "3.9"
services:
app:
image: node:20-alpine
ports: ["3000:3000"]
environment:
- DATABASE_URL=postgresql://user:pass@db:5432/mydb
depends_on: [db, redis]
db:
image: postgres:16-alpine
environment:
POSTGRES_USER: user
POSTGRES_PASSWORD: pass
volumes: [pgdata:/var/lib/postgresql/data]
redis:
image: redis:7-alpine
volumes:
pgdata:Pod Management
Pods are Podman's unique feature β they group containers sharing network, IPC, and optionally PID namespaces, mirroring Kubernetes pods.
# Create a pod with port mapping
podman pod create --name webapp -p 8080:80 -p 5432:5432
# Add containers to the pod
podman run -d --pod webapp --name webapp-nginx nginx:alpine
podman run -d --pod webapp --name webapp-db \
-e POSTGRES_PASSWORD=secret postgres:16-alpine
# Containers in a pod share localhost
# nginx reaches postgres at localhost:5432
podman run -d --pod webapp --name webapp-app \
-e DATABASE_URL=postgresql://user:pass@localhost:5432/mydb myapp:latest
# Manage pods
podman pod ls
podman pod inspect webapp
podman ps --pod --filter pod=webapp
podman pod stop webapp && podman pod rm webappKubernetes YAML Generation
Podman can generate Kubernetes YAML from running containers or pods, and deploy Kubernetes YAML locally β bridging local development and production.
# Generate Kubernetes YAML from a pod
podman generate kube webapp > webapp.yaml
podman generate kube webapp -s > webapp-with-service.yaml
# Deploy Kubernetes YAML locally
podman play kube webapp.yaml
podman play kube --down webapp.yaml # tear down
podman play kube --replace webapp.yaml # update
# Deploy with configmap
podman play kube webapp.yaml --configmap=config.yaml
# Workflow: develop locally -> export -> test -> deploy
# 1. podman pod create / podman run --pod ...
# 2. podman generate kube webapp > webapp.yaml
# 3. podman play kube webapp.yaml (local test)
# 4. kubectl apply -f webapp.yaml (deploy to K8s cluster)Building Images: Buildah Integration
Podman uses Buildah under the hood for image building. Buildah supports Dockerfiles (Containerfiles) and a scriptable shell interface for fine-grained layer control.
# Containerfile (identical to Dockerfile syntax)
FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
FROM node:20-alpine
WORKDIR /app
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
RUN addgroup -S app && adduser -S app -G app
USER app
EXPOSE 3000
CMD ["node", "dist/index.js"]# Build commands
podman build -t myapp:latest .
podman build -t myapp:prod -f Containerfile.prod .
podman build --build-arg NODE_ENV=production -t myapp:prod .
podman build --no-cache -t myapp:latest .# Go application β multi-stage with scratch
FROM golang:1.23-alpine AS build
WORKDIR /src
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build -o /app/server ./cmd/server
FROM scratch
COPY --from=build /app/server /server
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
EXPOSE 8080
ENTRYPOINT ["/server"]Podman Desktop and Podman Machine
Podman Desktop is an open-source cross-platform GUI for managing containers, pods, images, and Kubernetes clusters. On macOS and Windows, Podman Machine manages a lightweight Linux VM transparently so the experience feels native.
# Install Podman Desktop
brew install --cask podman-desktop # macOS
winget install RedHat.Podman-Desktop # Windows
flatpak install flathub io.podman_desktop.PodmanDesktop # Linux
# Features: container/pod management, image building,
# Kubernetes cluster connection, extension ecosystem
# (Kind, Minikube, OpenShift), Docker Desktop migration# Podman Machine β VM management for macOS/Windows
podman machine init --cpus 4 --memory 4096 --disk-size 60
podman machine start
podman machine ls
podman machine ssh # SSH into the VM
podman machine set --rootful # enable rootful mode
podman machine stop
podman machine rm # remove and recreate if issues
podman machine init && podman machine startNetworking: Netavark and DNS
Podman 4+ uses Netavark as its default networking stack with Aardvark-dns for built-in DNS resolution, replacing CNI plugins with better performance and simpler configuration.
# Create custom network
podman network create mynet
podman network create --subnet 10.89.0.0/24 --gateway 10.89.0.1 mynet
# Run containers on custom network
podman run -d --name db --network mynet postgres:16-alpine
podman run -d --name app --network mynet myapp:latest
# Aardvark-dns provides automatic DNS resolution by container name
# Inside "app" container:
podman exec app ping db
# PING db (10.89.0.2): 56 data bytes
# 64 bytes from 10.89.0.2: seq=0 ttl=64 time=0.089 ms
# Port mapping for external access
podman run -d --name web --network mynet -p 8080:80 nginx:alpine
# Network management
podman network ls
podman network inspect mynet
podman network connect mynet existing-container
podman network disconnect mynet existing-container
podman network rm mynetVolume Management and Bind Mounts
Podman supports named volumes, bind mounts, and tmpfs mounts for persistent and temporary data storage.
# Create and use named volume
podman volume create mydata
podman run -d --name db \
-v mydata:/var/lib/postgresql/data \
postgres:16-alpine
# Bind mount (host directory) with SELinux labels
podman run -d --name web \
-v ./html:/usr/share/nginx/html:Z \
nginx:alpine
# :Z = SELinux private label (single container access)
# :z = SELinux shared label (multiple containers)
# :ro = read-only mount
# tmpfs mount (in-memory, no persistence)
podman run -d --tmpfs /tmp:size=100m myapp:latest
# Volume management
podman volume ls
podman volume inspect mydata
podman volume rm mydata
podman volume prune # remove all unused volumesRegistry Management
Podman supports multiple registries via registries.conf. Unlike Docker defaulting to Docker Hub only, Podman searches and pulls from multiple registries in priority order.
# /etc/containers/registries.conf
# Podman searches these registries in order for unqualified images
[registries.search]
registries = ["docker.io", "quay.io", "ghcr.io"]
# Login to multiple registries
podman login docker.io
podman login quay.io
podman login ghcr.io
# Credentials stored in: \${XDG_RUNTIME_DIR}/containers/auth.json
# Pull from specific registry
podman pull docker.io/library/nginx:alpine
podman pull quay.io/podman/stable
podman pull ghcr.io/owner/image:tag
# Use skopeo for advanced registry operations
skopeo inspect docker://docker.io/library/nginx:alpine
skopeo copy docker://src-registry/img docker://dst-registry/imgSystemd Integration: Quadlet
Quadlet is Podman's native systemd integration β place a .container file in the systemd directory and systemd manages the container lifecycle including start, stop, restart, and auto-update.
# ~/.config/containers/systemd/webapp.container
[Unit]
Description=Web Application
After=network-online.target
[Container]
Image=docker.io/library/nginx:alpine
PublishPort=8080:80
Volume=./html:/usr/share/nginx/html:Z
AutoUpdate=registry
HealthCmd=curl -f http://localhost/ || exit 1
HealthInterval=30s
[Service]
Restart=always
[Install]
WantedBy=default.target# Enable and manage
systemctl --user daemon-reload
systemctl --user enable --now webapp.service
journalctl --user -u webapp.service -f
# Auto-update (checks registry for new digests)
systemctl --user enable --now podman-auto-update.timer
podman auto-update --dry-run
podman auto-updatePodman Secrets Management
Podman secrets securely pass sensitive data to containers without embedding them in images or environment variables.
# Create a secret from stdin
echo "my-database-password" | podman secret create db-password -
# Create from file
podman secret create tls-cert ./server.crt
podman secret create tls-key ./server.key
# List secrets
podman secret ls
# Use as file (mounted at /run/secrets/)
podman run -d --name db \
--secret db-password \
-e POSTGRES_PASSWORD_FILE=/run/secrets/db-password \
postgres:16-alpine
# Use as environment variable
podman run -d --name app \
--secret db-password,type=env,target=DB_PASS \
myapp:latest
# Inspect and remove
podman secret inspect db-password
podman secret rm db-passwordMulti-Architecture Builds
Podman supports multi-architecture images using podman manifest and QEMU emulation for cross-platform builds.
# Create a manifest list for multi-arch image
podman manifest create myapp:latest
# Build for each architecture
podman build --platform linux/amd64 -t myapp:amd64 .
podman build --platform linux/arm64 -t myapp:arm64 .
# Add platform images to manifest
podman manifest add myapp:latest myapp:amd64
podman manifest add myapp:latest myapp:arm64
# Inspect and push
podman manifest inspect myapp:latest
podman manifest push myapp:latest docker://registry.io/myapp:latest
# Or build all platforms in one command
podman build --platform linux/amd64,linux/arm64 \
--manifest myapp:latest .CI/CD with Podman
Podman's daemonless and rootless architecture makes it ideal for shared CI runners where Docker's privileged daemon is a security concern.
GitHub Actions
# .github/workflows/build.yml
name: Build with Podman
on: { push: { branches: [main] } }
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: podman build -t myapp:latest .
- run: podman run --rm myapp:latest npm test
- run: |
echo \${{ secrets.GITHUB_TOKEN }} | \
podman login ghcr.io -u \${{ github.actor }} --password-stdin
podman tag myapp:latest ghcr.io/\${{ github.repository }}:latest
podman push ghcr.io/\${{ github.repository }}:latestGitLab CI
# .gitlab-ci.yml
build:
image: quay.io/podman/stable
script:
- podman build -t \$CI_REGISTRY_IMAGE:\$CI_COMMIT_SHA .
- podman login -u \$CI_REGISTRY_USER -p \$CI_REGISTRY_PASSWORD \$CI_REGISTRY
- podman push \$CI_REGISTRY_IMAGE:\$CI_COMMIT_SHAMigration from Docker to Podman
Migrating from Docker to Podman is straightforward. The CLI is compatible, and only a few areas require adjustments.
- Install Podman and alias docker=podman
- Replace Docker socket: /run/user/\$(id -u)/podman/podman.sock
- Use podman-compose or docker-compose with Podman socket
- Replace Docker Desktop with Podman Desktop
- Convert systemd units to Quadlet .container files
- Update CI/CD pipelines to use podman commands
- Test docker-compose.yml β most work unchanged
# Step 1: Install Podman and compatibility layer
sudo dnf install podman podman-docker # provides /usr/bin/docker
# Step 2: Create Docker alias
echo "alias docker=podman" >> ~/.bashrc
source ~/.bashrc
# Step 3: Enable Podman socket for Docker Compose
systemctl --user enable --now podman.socket
export DOCKER_HOST=unix:///run/user/\$(id -u)/podman/podman.sock
# Step 4: Test with existing Docker workflows
docker run hello-world # uses Podman
docker-compose up -d # uses Podman backend
docker build -t myapp . # uses BuildahPerformance: Podman vs Docker
Podman and Docker deliver comparable performance. The daemonless architecture adds minimal startup overhead, while rootless mode incurs ~2-5% penalty from user namespace and pasta/slirp4netns networking.
- Container startup: Podman slightly faster (no daemon IPC)
- Image pull: Nearly identical
- Runtime: Identical (same OCI runtime crun/runc)
- Memory: Podman uses less (no daemon)
- Rootless overhead: ~2-5%
- Build: Comparable (Buildah vs BuildKit)
Security Best Practices
Podman provides strong security defaults, but additional hardening ensures defense in depth.
- Always run rootless β Podman's default and strongest security feature
- SELinux labels on volumes with :Z (private) or :z (shared)
- Use seccomp profiles to restrict syscalls
- Drop all caps, add back only needed: --cap-drop=all --cap-add=NET_BIND_SERVICE
- Read-only root filesystem: --read-only
- Sign images with cosign and verify on pull
- Scan images with Trivy before deployment
- Set --security-opt=no-new-privileges
# Security-hardened container
podman run -d --name secure-app \
--cap-drop=all --cap-add=NET_BIND_SERVICE \
--read-only --tmpfs /tmp:size=50m \
--security-opt=no-new-privileges \
--security-opt label=type:container_t \
--user 1000:1000 --memory=256m --cpus=0.5 \
-v ./data:/app/data:Z,ro myapp:latest
# Verify image and scan
cosign verify --key cosign.pub myregistry.io/myapp:latest
podman run --rm aquasec/trivy image myapp:latestProduction Deployment Patterns
Podman excels in production with systemd. Quadlet, auto-updates, and health checks create a robust deployment model without an orchestrator.
# /etc/containers/systemd/myapp.container
[Unit]
Description=Production App
After=network-online.target myapp-db.service
Requires=myapp-db.service
[Container]
Image=ghcr.io/myorg/myapp:latest
PublishPort=443:8443
Network=myapp.network
Secret=db-password,type=env,target=DATABASE_PASSWORD
Secret=tls-cert,target=/etc/ssl/server.crt
Volume=app-data:/app/data:Z
Environment=NODE_ENV=production
AutoUpdate=registry
HealthCmd=curl -fk https://localhost:8443/health || exit 1
HealthInterval=15s
HealthRetries=5
[Service]
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target# /etc/containers/systemd/myapp-db.container
[Unit]
Description=Production Database
After=network-online.target
[Container]
Image=docker.io/library/postgres:16-alpine
Network=myapp.network
Secret=db-password,type=env,target=POSTGRES_PASSWORD
Volume=pgdata:/var/lib/postgresql/data:Z
Environment=POSTGRES_DB=myapp
HealthCmd=pg_isready -U postgres
HealthInterval=10s
[Service]
Restart=always
[Install]
WantedBy=multi-user.target# /etc/containers/systemd/myapp.network
[Network]
Subnet=10.89.1.0/24
Gateway=10.89.1.1
# Deploy the full production stack
sudo systemctl daemon-reload
sudo systemctl enable --now myapp-db.service
sudo systemctl enable --now myapp.service
sudo systemctl enable --now podman-auto-update.timer
# Monitor
systemctl status myapp.service
journalctl -u myapp.service -fTroubleshooting Common Issues
- Permission denied: Check subuid/subgid β run podman system migrate.
- Rootless network unreachable: Install pasta or slirp4netns.
- Port <1024: Use sysctl net.ipv4.ip_unprivileged_port_start=80 or rootful.
- Pull fails: Check registries.conf. Run podman info.
- Container not starting: Check podman logs and podman events.
- SELinux denial on volume: Add :Z or :z suffix.
- Machine not starting (macOS): podman machine rm && podman machine init.
- Compose incompatibility: Use podman-compose 1.1+ or docker-compose with socket.
# Debugging commands
podman info # system info
podman system check # storage consistency
podman events # real-time events
podman logs -f <container> # container logs
podman healthcheck run <ctr> # manual health check
podman system df # disk usage
podman system prune -a # clean everything
podman system reset # nuclear reset
podman info --format "{{.Host.NetworkBackend}}"Frequently Asked Questions
Can I use Podman as a drop-in replacement for Docker?
Yes, for the vast majority of use cases. Podman's CLI is Docker-compatible, and alias docker=podman works for most workflows. Docker Compose files work with podman-compose or docker-compose via Podman's socket. The main differences are the lack of Docker Swarm support and some Docker Desktop-specific features.
Is Podman really more secure than Docker?
Yes, by architecture. Podman eliminates the root daemon (Docker's biggest attack surface), runs rootless by default using user namespaces, and integrates natively with SELinux. Even if a container escape occurs, the attacker lands as an unprivileged user.
How do rootless containers work?
Rootless containers use Linux user namespaces to map the container's root (UID 0) to an unprivileged user on the host. The subuid/subgid files define available UID/GID ranges. Inside the container processes appear to run as root, but on the host they have no special privileges.
What is the difference between Podman pods and Kubernetes pods?
Podman pods are directly inspired by Kubernetes pods. Both group containers sharing network and IPC namespaces. Podman pods include an infra container (like Kubernetes' pause container) that holds the namespace. You can generate Kubernetes YAML from Podman pods using podman generate kube.
Should I use podman-compose or docker-compose?
Both work. podman-compose is a lightweight Python tool that translates Compose files into Podman commands. docker-compose v2 works with Podman via the compatibility socket. For simple stacks, podman-compose is sufficient. For complex Compose files, docker-compose may have better compatibility.
What is Quadlet and how does it replace docker-compose for production?
Quadlet is Podman's native systemd integration. Instead of docker-compose up -d, you place .container files in systemd directories. Systemd manages container lifecycle, restart policies, ordering, and dependencies, integrating containers into the same model as other Linux services.
Can Podman run Docker images?
Yes. Podman runs any OCI-compliant or Docker-format container image from Docker Hub, GHCR, Quay.io, or any OCI registry without modification.
How does Podman Machine work on macOS?
Since containers require a Linux kernel, Podman Machine creates a lightweight Fedora CoreOS VM on macOS using Apple Virtualization or QEMU. The CLI transparently communicates with the VM, files are shared via virtiofs, and ports are forwarded automatically.