podman

A tool for managing OCI containers and pods.

Installation

https://podman.io/getting-started/installation

Debian version is old, it's better to install from sources.

Build from sources

Prerequisites

# Download latest stable version to current directory
curl \
    --create-dirs \
    --location \
    --output "go.tar.gz" \
    --silent \
    --url "https://go.dev/dl/go$(\
        curl \
            --silent \
            --url "https://go.dev/dl/?mode=json" \
        | sed \
            --expression="3s/^\s*\"version\": \"go\(.*\)\",$/\1/p" \
            --silent \
        ).linux-amd64.tar.gz"
# Extract compressed archive to install directory
tar \
    --directory="$HOME/.local/app/" \
    --extract \
    --file="go.tar.gz"
# Delete compressed archive
rm "go.tar.gz"
# Add soft links to `go` and `gofmt` in `$HOME/.local/bin/`
ln -s "$HOME/.local/app/go/bin/go" "$HOME/.local/bin/go"
ln -s "$HOME/.local/app/go/bin/gofmt" "$HOME/.local/bin/gofmt"

Build dependencies

sudo apt-get install \
    libapparmor-dev \
    libbtrfs-dev \
    libdevmapper-dev \
    libgpgme-dev \
    libseccomp-dev \
    libsystemd-dev

Runtime dependencies

sudo apt-get install \
    conmon \
    containernetworking-plugins \
    crun \
    fuse-overlayfs \
    slirp4netns \
    uidmap

The static builds of conmon available in the github repository don't statically link to systemd (see this comment).\ Running a container will fail with the following error message: Error: write child: broken pipe because the default logging driver is journald.\ The possible solutions are:

Build podman

git clone https://github.com/containers/podman.git
cd podman
# Checkout latest stable version
git checkout "$(\
    curl \
        --silent \
        --url "https://api.github.com/repos/containers/podman/releases/latest" \
    | sed \
        --expression="s/^\s*\"tag_name\": \"\(.*\)\",$/\1/p" \
        --silent \
    )"
make BUILDTAGS="apparmor seccomp systemd"
make install PREFIX="$HOME/.local"

Configure

cat > "$HOME/.config/containers/containers.conf" << EOF
# The container engine configuration file specifies default configuration
# options and command-line flags for container engines.

[engine]
helper_binaries_dir = [
    "$HOME/.local/libexec/podman"
]
EOF
# This configuration allows all images without any requirements.
cat > "$HOME/.config/containers/policy.json" << EOF
{
    "default": [
        {
            "type": "insecureAcceptAnything"
        }
    ]
}
EOF
cat > "$HOME/.config/containers/registries.conf" << EOF
# System-wide configuration file for container image registries.

# An array of `host[:port]` registries to try when pulling an unqualified image,
# in order.
unqualified-search-registries = ["docker.io"]

# - If only one unqualified-search registry is set, use it as there is no
#   ambiguity.
# - If there is more than one registry and the user program is running in a
#   terminal (i.e., stdout & stdin are a TTY), prompt the user to select one of
#   the specified search registries.
# - If the program is not running in a terminal, the ambiguity cannot be
#   resolved which will lead to an error.
short-name-mode = "enforcing"
EOF
cat > "$HOME/.config/containers/storage.conf" << EOF
[storage]
driver = "overlay"
[storage.options.overlay]
mount_program = "/usr/bin/fuse-overlayfs"
EOF
# Create symlink $HOME/.config/systemd/user/sockets.target.wants/podman.socket → $HOME/.local/lib/systemd/user/podman.socket.
# Create symlink $HOME/.config/systemd/user/podman.socket → $HOME/.local/lib/systemd/user/podman.socket.
systemctl --user enable $HOME/.local/lib/systemd/user/podman.service

# Create symlink $HOME/.config/systemd/user/default.target.wants/podman.service → $HOME/.local/lib/systemd/user/podman.service.
# Create symlink $HOME/.config/systemd/user/podman.service → $HOME/.local/lib/systemd/user/podman.service.
systemctl --user enable $HOME/.local/lib/systemd/user/podman.socket

# Start podman.socket
systemctl --user start podman.socket

# Verify that podman.socket is started
systemctl --user status podman.socket