Podman Quadlets with Podman Desktop
82 comments
·April 14, 2025andreldm
Alupis
If you install the `podman-docker` package, you get compatibility with docker commands. If you have errors during runtime, it's probably something in your container/config that's assuming a docker socket/runtime. Some of which can be remedied by pointing `DOCKER_HOST` to your podman socket, etc.
andreldm
The problem wasn’t running the containers with plain podman, they worked. Auto restart is something podman delegates to quaqlet/systemd, I tried to migrate my docker-compose files to quadlet’s config, the containers were up, supposedly listening to the bound ports but connecting simply didn’t work. I tried rootless, slirp4netns and pasta, nothing worked, then I gave up, some other day I might try again.
worewood
Running a very similar setup here, also have issues with networking. Pasta worked, but has bugs and replied UDP packets on the wrong ports. The pasta version from debian packages is too old. Also, I tried making the networking work but now I just slap --network=host on everything and call it a day--works perfectly.
orthoxerox
What is the killer feature that will make me want to switch from Docker Compose to Podman Quadlets?
eriksjolund
Podman quadlet supports "Socket activation of containers" https://github.com/containers/podman/blob/main/docs/tutorial... This allows you to run a network server with `Network=none` (--network=none). If the server would be compromised, the intruder would not have the privileges to use the compromised server as a spam bot. There are other advantages, such as support for preserved source IP address and better performance when running a container with rootless Podman + Pasta in a custom network.
infogulch
That's neat. Does it require 1 connection = 1 process to work? I don't see how you can have a long running server with this feature.
xyzzy_plugh
No, the init process hands over the listener FD allowing the server to accept() connections.
You can also do 1 connection = 1 process, though, but it's absolutely not required nor particular common these days.
null
anonfordays
What's old is new again. That's effectively how inetd worked circa 1986. The inetd daemon had some serious security vulnerabilities so the world move away from using "socket activated daemons" to having always listening services (performance reasons as well).
rendaw
I never understood the use case for socket activation - is someone really running a web server that mixed workloads, long periods with no network traffic you'd rather prioritize something else, and a web server that's so resource intensive when not handling events it makes sense to stop it? Maybe desktop computers?
The security aspect is something new to me and I'm not sure if that applies to inetd/systemd socket services or if it's specifically a container thing.
Does anyone have more info on use cases for this?
thwarted
inetd supported "socket activation" using the "wait" directive, where inetd would listen on the socket and then hand off the listening socket when there was activity as fd 0 where the server would need to call accept, and could continue to call accept for new connections, or exit when all clients were handled, and inetd would respawn when there was new pending connection on the listening socket.
dharmab
I prefer quadlet for 2 reasons:
1. Podman is simpler than Docker. There is no long-running daemon. Rootless is default.
2. Quadlets can be managed as systemd services, giving me the same tools to manage and view logs for system daemons and containers.
Quadlets have been especially nice for bundling up an AI app I wrote as a cloud-init file, making it easy to deploy the hardware, software and models as one artifact.
steeleduncan
Podman seems to have lower memory overhead than Docker. I assume that is a consequence of your point 1
pydry
quadlets == systemd which requires root to run. this is NOT the same thing as "systemd cant run non root containers". OBVIOUSLY it can, just as docker can run non root containers.
Making systemd a necessary dependency to run > 1 container kinda negates many of the the nice advantages that podman has of not requiring root.
podman compose doesnt require root and would serve as a substitute but it's a very neglected piece of software.
zacwest
You can do non-root systemd units, including Quadlets. See <https://docs.podman.io/en/latest/markdown/podman-systemd.uni...> under "Podman rootless unit search path."
voxadam
systemd user units can be run by non-root users.
exceptione
systemctl --user ...scheme271
The biggest one is probably that podman runs as a user and doesn't need suid normally. So you can run services and have more assurances that container breaches won't give someone root on your system.
philips
I really like the user namespace handling `--user-ns=keep-id`. It makes it easy for me to create a new Linux user and then have that user run some container and have bind mounts, etc just work correctly. It is the least fuss way I have found of running little services that need access to the host filesystem.
https://docs.podman.io/en/latest/markdown/podman-run.1.html#...
tiew9Vii
For local development I found no advantages, if anything I found it a little less convenient.
For servers where you don’t need the complexities of Kubernetes etc, using Quadlets is nice as you can manage containers as regular systemd services and no Docker daemon running as root.
jabl
For a docker-compose replacement you should probably look at the 'podman kube' support. That supports a subset of the kubernetes API that roughly matches the docker-compose features.
Then for deployment to a Kubernetes cluster you can reuse your podman kube yaml.
For deployment to a single machine where the full Kubernetes is overkill, you can use the podman quadlet support. Quadlets support a "[Kube]" section where you can point to the yaml file, so you don't have to write all your port and volume etc mappings again in a slightly different syntax.
discardable_dan
And why are they called quadlets?
cassepipe
Some help in case you got lost in the terminolgy as I did :
Containers: Encapsulate application and its environment
Pods: Group one or more containers in Kubernetes
Kubernetes: Orchestrates containers across clusters.
Quadlets: Declarative container management with Podman and systemd
Podlet: Tool to generate Quadlet file from existing podman configuration
pjd7
I started looking into podman quadlets on the weekend. All because docker & nft (nftables firewall) don't play nice together.
I have my finely crafted nftables ruleset that I want to keep. Docker is going to abuse the crap out of my ruleset/make me jump through extra hoops to have it work.
Having the containers operate under systemd looks fine (ignoring the fact that it is systemd, I guess I have finally accepted systemd is here to stay).
I was interested in using traefik & docker labelling to have ingress sorted out and I believe this will all play nicely enough to replace docker-compose on a single server.
infogulch
Quadlets came up recently:
Quadlet: Running Podman containers under systemd (mo8it.com) | 298 points | 68 comments | https://news.ycombinator.com/item?id=43456934
Where do quadlets fit in the container management landscape?
Running individual services that would have been RPMs? Docker compose? K8s?
steeleduncan
> Running individual services that would have been RPMs?
Essentially this. Rather than adding anything on top of systemd (which is almost certainly running anyway) quadlets are a way of turning containers into systemd units, and directing systemd to run them
I think it is the lightest weight, but still convenient, way of running a container as a daemon, with all the pros and cons that implies
WesolyKubeczek
I run container sets (like you'd probably run with docker-compose) as systemd services using this.
infogulch
How do you manage and deploy it? Git a systemd directory?
c45y
It's just a ~/.config/containers/systemd/ folder for rootless containers, I stuff the whole thing in a git repo
sc68cal
Ansible has support for quadlet creation in the containers.podman collection
WesolyKubeczek
It's my homeassistant setup. I run mosquitto, zigbee2mqtt, and homeassistant in it (everything they connect to is on the network, so no need to do USB access mumbo jumbo). I don't "manage" it; I have a yaml file (generated from running containers with "podman kube generate") in a directory along with volumes those containers need, and a file in /etc/containers/systemd pointing to that yaml file. That's it.
And once all peripherals are seen and run correctly, I don't "manage" it as long as it works.
pydry
quadlets is an answer to the question "but what if we also threw a docker compose substitute into the systemd kitchen sink"?
haolez
This made me remember Fleet[0], which I used in the past on CoreOS. It was a very good abstraction for my simple cluster. It felt as robust as a managed cloud service. It's a shame it didn't catch on (and also what happened to CoreOS).
mdaniel
> (and also what happened to CoreOS)
Arguably worse, IMHO, is that the name lives on but does something wholly different, polluting search results
Anyway, I wanted to plug Flatcar which forked CoreOS back when the nonsense started and have been pretty pleasant to work with. They are still misguided about user-data management, and have since been acquired by Microsoft(!), but the code lives on https://github.com/flatcar/Flatcar#readme and https://www.flatcar.org/docs/latest#upgrading-from-coreos-co...
ldmosquera
Small note - https://github.com/flatcar/Flatcar has no code in any branches:
> Flatcar project repository for issue tracking, project documentation, etc.
Per the building page https://www.flatcar.org/docs/latest/reference/developer-guid...
the actual code seems to be at https://github.com/flatcar/scripts.git
mdaniel
Yes, apologies, that was poor wording on my part. The "lives on" was meant in the "continuation" sense but I can see how "lives on https:" implied it was in that specific repo. Sorry about that
nashashmi
I have been trying to use podman with docker containers to avoid the docker license fee, yet to no avail. Wish there was a tutorial. The docker desktop is a nice interface to interact with containers and podman did not have that last time I checked.
edit: Looks like it changed quite a lot. this looks so much nicer
edit2: I still need a tutorial. had so many errors come up. :(
mdaniel
I don't want to dissuade you from Podman Desktop, because Podman is awesome in its own way, but I do hear you about the "uncanny valley" part.
I wanted to offer that you don't have to jump all the way to podman (and Podman Desktop) just to escape the Docker Desktop licensing problem. There are a lot of alternatives which a whole spectrum of "I am CLI savvy or not" interaction experiences
- Rancher Desktop is A++ and carries a friendly license https://rancherdesktop.io/ -> https://github.com/rancher-sandbox/rancher-desktop/blob/v1.1...
- colima (and the lima it wraps) -> https://github.com/abiosoft/colima#readme
- there's one from AWS called Finch <https://github.com/runfinch/finch> that some of my colleagues like better than colima; YMMV <https://aws.amazon.com/blogs/opensource/introducing-finch-an...>
null
chuckadams
If you’re on a Mac, I highly recommend OrbStack. Perfect Docker compatibility so far, actually better Rosetta support than Docker itself.
kristianp
What OS are you running it on?
Havoc
Is this essentially a compose file in systemd format? Or is there some other complexity that I’m missing
bjoli
Can I use podman desktop to manage my quadlets on a server over ssh? That would be awesome.
axel7083
I would say yes, but never tried:
1. enable remote connection in podman desktop (https://podman-desktop.io/docs/podman/podman-remote)
2. try the quadlet extensions (https://podman-desktop.io/blog/podman-quadlet)
I am curious to have feedback if you give it a try (https://github.com/podman-desktop/extension-podman-quadlet/i...)
sudomateo
Thanks for sharing this. For some reason I haven't heard of Podman Quadlets until this post. I can think of a few places where Quadlets would work better than Kubernetes or Compose. I'll give them a tinker.
bjackman
Yeah I recently put together a home NAS and was dismayed that I had to use Docker Compose. (There's podman-compose but it's... incomplete).
Immediately after I finished the project I discovered the Quadlet thing!
Seems like the userbase is there, the technology is there, and now the two just need to be put together with some awareness.
null
I have a RPi 2 that’s more than enough for my home server needs and I’ve tried to migrate from docker to podman, it simply failed miserably with weird errors, on my laptop everything worked fine, so maybe that’s an issue with Arch ARM or the 32-bit version of it, but really, I wish they could abstract away quadlet, service files generation and so on.