Feature Request: Official Support for Rootless Podman Quadlets

[Tronde]

Transparency information

• I work as Technical Account Manager for Red Hat. While thoughts and opinions in this feature request are my own and I do not speak for Red Hat I might be biased on this topic.
• This feature request was generated with the help of an AI assistant and reviewed by me.
• If you like to support this feature request, feel free to upvote it.

Description

As a systems administrator operating OpenCloud on a singlecontainer hosts, I am seeking a secure, reliable, and natively integrated solution for deploying and managing OpenCloud services. Currently, the OpenCloud project officially supports HELM charts and docker-compose for deployment. However, my primary Linux distribution natively ships Podman with its repositories, while Docker, docker-compose, and even podman-compose are only available through third-party repositories. This distinction is critical for maintaining system stability, security, and ease of management within a production environment. Especially enterprise customers often look for solutions where they can get support for their technology stack from as few vendors as possible.

I propose/request that the OpenCloud project officially support rootless Podman Quadlets. This would leverage Podman's daemonless, rootless architecture and its robust integration with systemd to provide a secure, reliable, and native deployment method for OpenCloud, aligning with the principles of digital sovereignty and efficient self-hosting that OpenCloud champions. There is already community interest and successful individual implementations of OpenCloud using rootless Podman Quadlets, indicating a clear demand for this official support.

Target Audience

This feature primarily addresses Systems Administrators, Systems Engineers, DevOps professionals, and Site Reliability Engineers (SREs) who are looking for a state-of-the-art containerization solution for OpenCloud. Specifically, it caters to:

• Organizations with stringent security and compliance requirements (e.g., finance, healthcare, government sectors) who need to minimize attack surfaces and adhere to regulations like HIPAA or PCI DSS.
• Users of Linux distributions that natively prioritize Podman (such as Red Hat Enterprise Linux and Fedora) as their default container engine.

Key Arguments and Advantages

Officially supporting rootless Podman Quadlets for OpenCloud offers numerous advantages:

1. Enhanced Security through Rootless and Daemonless Architecture:

   • Minimized Attack Surface: Podman's rootless mode allows containers to run as unprivileged users, significantly reducing the attack surface by isolating container processes from the host's root user. A study by Surbhi Kanthed demonstrated a 50% reduction in attack surface with rootless containers.
   • Elimination of Single Point of Failure (Daemonless): Unlike Docker's centralized daemon, Podman operates without a continuously running background service. This daemonless architecture prevents a single point of failure and removes a prime target for malicious attacks. If Podman itself crashes, the containers, running as independent processes, continue to operate.
   • Improved Auditability: Podman links container processes directly to the invoking user's session, enabling Linux Audit systems to accurately trace malicious activity back to a specific user ID, ensuring a clear audit trail.
   • Regulatory Compliance: The rootless design naturally aligns with stringent compliance standards (e.g., HIPAA, PCI DSS) by enforcing least-privilege policies, which is crucial for organizations handling sensitive data.

2. Increased Reliability and Native Systemd Integration with Quadlets:

   • Simplified Container Management: Podman's Quadlets feature streamlines the definition and management of containers by allowing users to describe their container setups (including networks and volumes) in simple .container, .network, and .volume files, which are then automatically converted into systemd unit files. This greatly simplifies managing dependencies, networks, and volumes that were previously more complex with podman generate systemd.
   • Automated Lifecycle Management: Leveraging systemd, Quadlets enable OpenCloud containers to start, stop, and restart like any other native Linux service. This includes defining restart policies (e.g., Restart=always) for automatic recovery, enhancing OpenCloud's uptime and resilience.
   • Automatic Updates: systemd services configured via Quadlets can be automatically updated when a newer version of Podman is released or when the container image is updated on the registry, without manual regeneration of unit files. This ensures OpenCloud stays current with minimal operational overhead. Of course automatic updates could be disabled if the operator whishes to manage them theirself.

3. Operational Efficiency and Host OS Integration:

   • Native Distribution Support: Podman is readily available in the official repositories of many Linux distributions, ensuring easier installation, updates, and maintenance compared to Docker, which sometimes requires third-party repositories.
   • Leveraging Existing Linux Tooling: Since Podman containers run as regular Linux processes, standard host-level tools like top, htop, ps, and journalctl can be used for monitoring and logging.
   • Lightweight Footprint: The daemonless nature of Podman results in lower resource requirements at idle, as Podman is not running unless containers are active. This is particularly beneficial for resource-constrained environments or self-hosted setups.
   • OCI Compliance: Podman adheres to Open Container Initiative (OCI) standards, ensuring compatibility with existing Docker images and registries. This allows seamless migration of existing OpenCloud Docker images to a Podman environment.

4. Open Source Alignment and Cost-Effectiveness:

   • True Open Source: Podman and Podman Desktop are entirely open-source under the Apache License 2.0, providing a free and unrestricted alternative to Docker, whose Desktop version requires a paid subscription for larger commercial use.
   • Avoid Vendor Lock-in: Supporting an open-source solution like Podman helps to offer even more choice, greater flexibility and control within the container ecosystem.

Conclusion

By officially supporting rootless Podman Quadlets, OpenCloud can provide its users with a secure, reliable, and deeply integrated containerization experience, particularly for those operating on Linux distributions that natively support Podman. This move would not only streamline operations and enhance the security posture of OpenCloud deployments but also reinforce OpenCloud's commitment to open-source principles and digital sovereignty. The existing community interest and successful implementations further underscore the value and readiness of this feature for official adoption.

Thank you for taking this feature request into consideration.

Sources to back this feature request

• Docker vs. Podman: Architecture Differences and Their Impact on Modern
  Workflows by Surbhi Kanthed (Independent researcher, USA), 2023
• Exploring Podman: A More Secure Docker Alternative by Marin Bezhanov, 2024
• Podman - Quadlets by Daniel Schier, 2024
• Podman vs. Docker: Containerization Tools Comparison by James Walker, 2025
• Why Developers Are Switching from Docker to Podman by Lucas Greene, 2025
• Podman rootless setup? #615
• Feature request: podman support

[micbar]

@tbsbdr @dragotin

[Tronde]

Hi @tbsbdr and @dragotin,

I hope you don't mind that I created a feature request here. We talked about this topic at FrOSCon 2025 and I think having a feature request that folks - who are interested in this feature - can support doesn't hurt anyone.

In the worst case scenario we learn that nobody cares and it can be closed in two years or so. ;-)

As I wrote to @micbar in another comment I wouldn't be able to create and maintain a project for this as I don't have the capacity. I would be able to test and offer a sysadmins perspective on this if that's helpful for you.

Cheers,
Joerg

[tbsbdr]

@Tronde thanks a lot for raising this issue and for the detailed reasoning!

@micbar, @dragotin and I had a discussion and also see value in supporting Podman Quadlets and would like to have this option on the long run. At the same time I want to be transparent: so far we have no customer explicitly requesting this option. This means that we cannot move it up on the roadmap at this time even though we find the technology attractive and consider it superior to docker in most regards.

If things go as planned and depending on resource availability I would expect that we find time to tackle Quadlets around 2026.

Of course, contributions in this area are very welcome in the meantime to help us all get there faster.

[Tronde]

Thank you for your kind and transparent response. I stay tuned watching the development. :-)

[pierrecnalb]

In case anyone is interested, I wrote some "security hardened" opencloud podman quadlets here https://github.com/pierrecnalb/quadlets
As mentioned in the repository, they are not rootful, but probably more secure than badly-configured rootless (read on) and without the hassle rootless would bring.
Indeed, according to this discussion, Daniel Walsh (one of the developer of Podman) mentioned the following:

"Rootless containers are great for containers run by users on a system, but if you are just running containers on a server, then --userns=auto is a more secure solution".

As he explained, when you run multiple containers as a rootless user, they run in the same user namespace so they can attack each other from a User Namespace point of view.
Instead, using rootful containers with the --userns=auto option, then those containers are running in unique user namespace and are isolated.

In addition to that, using a dedicated user in the container and dropping capabilities/privileges, should provide way more security than most docker compose files found on the internet anyway.