r/podman

Do the below quadlet definitions do the same thing with regards to CPU/memory resource control?

Podman Quadlet:

$ cat app.container
[Container]
Image=example-image
Environment=EXAMPLE=value
Volume=app.volume:/path/to/data:Z
Memory=512m
PodmanArgs=--cpus=1

vs resource control via systemd:

$ cat app.container
[Container]
Image=example-image
Environment=EXAMPLE=value
Volume=app.volume:/path/to/data:Z

[Service]
CPUQuota=100%
MemoryMax=512M

Which of the two would you prefer?

I am having issues using semaphores with gnu parallel in my podman container. Example:

This works: echo test | sem --id test --fg -q -j 5 --pipe -- cat

This doesn't: podman run --rm -it 'docker.io/patlefort/pat-aur:latest' bash -c 'echo test | sem --id test --fg -q -j 5 --pipe -- cat'

result in exec failed:No such file or directory at - line 1..

My system and the container are both Arch based and sem --version report version 20260422.

Any clues as to what could be happening?

I'm looking into fine tuning/hardening my Podman setup and one thing I'm exploring is what the best way is to connect containers together in a best practices layout. In theory, the ideal setup would be a reverse proxy connected to each service's frontend, and each service in turn having its own internal network for associated containers like databases.

The thing I'm trying to figure out is that connection between the reverse proxy and the frontends - I've seen recommendations to have a reverse proxy network, but in my mind this means that all of the services can talk to each other, which isn't ideal from a service isolation standpoint. And running 2 networks for each service seems like a lot of admin overhead. Currently I'm running one network per service and attaching the reverse proxy to each, which has its own issues but at least should be secure as long as the reverse proxy itself is. The other option I can think of is binding all of the services to the host loopback device and connecting through that from the reverse proxy, but punching out of the container to the host and then back in also doesn't seem right, particularly in environments where more than one service might be running in the host network namespace. Socket activation in theory would work but in practice the need to use systemd-socket-proxyd in most instances which would then require the host loopback interface again.

In my mind the ideal would be to have one network per service, and forward the ports into the reverse proxy container network so that the reverse proxy can't access the rest of the backend network (e.g. bind them to the gateway address in that network) but that doesn't seem to be a thing. An alternative I've seen is some discussion about adding pasta support for listening on unix sockets for port forwards, which doesn't exist yet and would still require manual configuration.

Is this the current state of affairs? Multiple networks for every application or some form of compromised isolation where we just need to choose the least worst option? Or am I missing something obvious?

I'd like Podman to save all its data on a secondary SSD and not the boot drive. Over on the Docker side, I was able to specify default locations for stuff like appdata or compose files.

Is there a way to do this for Podman as well? Is there a configuration file that specifies the defaults?

Hello,

I am trying for weeks now to find a way to get the unless-stopped policy to work on Fedora CoreOS. The podman-restart.service only manages the always policy.

Quadlets are not an option as all my containers are created from compose files.

I am failing at making a script that would save a list of running containers at shutdown/restart and starting them at next boot.

I am now looking for help about this topic, I am wondering what solutions you would have to have a working unless-stopped policy on CoreOS.

Is there scripts that are proven to work, or tools to install that could do the trick?

Thanks in advance for your ressources, have a nice day!

Hi everyone,

I’m currently setting up Podman on Proxmox and I need to choose which OS I would put my Podman LXC on.

So I initially chose Alpine (for its lightweight nature), but I realized that Quadlet isn’t available on Alpine.

I've recently restarted doing my homelab after just using community-script for all my services but I would like to understand what I'm doing.

So my questions are :

1. Does Quadlet offer significant advantages over Podman Compose ?

2. Is the performance/resource difference between Alpine and Debian noticeable in a Proxmox environment for typical usage ? Is the process of upgrading from something like Debian 12 to debian 13 is an headache when you're using podman ?

I'm new to podman and am a bit lost on how to get this set up working. Would appreciate pointers on where to get started in fixing it and where I'm not following best practices.

The containers only fail when I put them in the pod.

suwayomi.container

[Unit]
Description=Suwayomi
Requires=postgres.service flaresolverr.service
After=network-online.target postgres.service flaresolverr.service

[Container]
ContainerName=suwayomi
Pod=open.pod
Image=ghcr.io/suwayomi/suwayomi-server:stable
AutoUpdate=registry

UserNS=keep-id

Environment=TZ=Asia/Hong_Kong
Environment=AUTH_MODE=simple_login
Environment=MAX_LOG_FILES=31
Environment=WEB_UI_ENABLED=true
Environment=WEB_UI_FLAVOR=WebUI
Environment=WEB_UI_CHANNEL=stable
Environment=WEB_UI_UPDATE_INTERVAL=23
Environment=MAX_SOURCES_IN_PARALLEL=8
Environment=UPDATE_EXCLUDE_STARTED=true
Environment=UPDATE_INTERVAL=11
Environment=UPDATE_MANGA_INFO=true
Environment=BACKUP_INTERVAL=1
Environment=BACKUP_TTL=14
Environment=FLARESOLVERR_ENABLED=true
Environment=FLARESOLVERR_URL=http://flaresolverr:8191
Environment=DATABASE_TYPE=POSTGRESQL
Environment=DATABASE_URL=postgresql://postgres:5432/suwayomi

Secret=suwayomi_user,type=env,target=AUTH_USERNAME
Secret=suwayomi_password,type=env,target=AUTH_PASSWORD
Secret=postgres_user,type=env,target=DATABASE_USERNAME
Secret=postgres_password,type=env,target=DATABASE_PASSWORD

Volume=/home/selfhosted/suwayomi:/home/suwayomi/.local/share/Tachidesk:Z

[Service]
ExecStartPre=sleep 30
Restart=always

[Install]
WantedBy=default.target

flaresolverr.container

[Unit]
Description=Flaresolverr
After=network-online.target

[Container]
ContainerName=flaresolverr
Pod=open.pod
Image=ghcr.io/thephaseless/byparr:latest
AutoUpdate=registry

UserNS=nomap

Environment=TZ=Asia/Hong_Kong

[Service]
Restart=always

[Install]
WantedBy=default.target

postgres.container

[Unit]
Description=Postgres

[Container]
ContainerName=postgres
Pod=open.pod
Image=docker.io/library/postgres:latest
AutoUpdate=registry

UserNS=keep-id:uid=1000,gid=1000
User=1000
Group=1000

Environment=TZ=Asia/Hong_Kong
Environment=PGTZ=Asia/Hong_Kong
Environment=PGDATA=/data/postgres
Environment=POSTGRES_DB=suwayomi

Secret=postgres_user,type=env,target=POSTGRES_USER
Secret=postgres_password,type=env,target=POSTGRES_PASSWORD

Volume=/home/selfhosted/postgres:/data/postgres:Z

[Service]
Restart=always

[Install]
WantedBy=default.target

open .network (space in the name cause reddit keeps turning it into a link)

[Unit]
Description=VPN-less Network

[Network]
NetworkName=open

open.pod

[Pod]
PodName=open
Network=open.network

PublishPort=4567:4567