Podman Containers with Systemd (Quadlets)

This is a simple example of how to use Podman to create a container which runs as a user.

Install podman (assumes DNF but you can work it out for any other package manager).

dnf install podman

Add some UIDs and GIDs for the user to utilise in podman. Here we push the UID/GID to something very high to ensure no overlap.

usermod --add-subuids 1000000000-1000999999 znxster
usermod --add-subgids 1000000000-1000999999 znxster

Prepare the user account by enabling linger. This will spawn a user manager at boot which allows services to run when users aren’t logged in.

systemctl enable-linger znxster

Now we can login as the user and create our container.

As we modified subuid/subgid we should migrate podman to ensure that the userspace environment is up-to-date (this will also update existing containers).

podman system migrate

Create this directory to store our container unit files for system to use.

mkdir ~/.config/containers/systemd/

We will run a postgres database as an example.

Create a directory to store the data in, this will be mapped as a volume.

mkdir ~/postgres-data

We can use a podman secret to store the password.

printf "my_safe_password" | podman create secret postgres-pass -

Now create the container unit file, edit the file ~/.config/container/systemd/postgres.container with this content.

[Unit]
Description=My Postgres Container

[Container]
Image=docker.io/library/postgres:latest
Volume=%h/postgres-data:/var/lib/postgresql/data:Z
PublishPort=5432:5432
Environment=POSTGRES_USER=postgres
Secret=postgres-pass,type=env,target=POSTGRES_PASSWORD

[Service]
Restart=always

[Install]
WantedBy=default.target

Check out the documentation for many more options available.

Now reload the systemd daemon to cause it to discover this file.

systemctl --user daemon-reload
systemctl --user status postgres

It can also be useful to manually test with the systemd-generator (known as quadlet) to see if there are issues with your container file.

/usr/lib/systemd/system-generators/podman-system-generator --user --dryrun

This will output any error.

You can start/stop/enable all the standard systemd options.

systemctl --user enable --now postgres

Now you can connect to postgres on port 5432 as normal.

psql -U postgres
Password for user postgres:
postgres=#

Leave a Reply

Your email address will not be published. Required fields are marked *