Podman on an Offshore VPS

Docker runs a privileged daemon (`dockerd`) that owns all container operations. Anyone with access to the Docker socket effectively has root on the host - by design, the daemon needs root to manipulate cgroups, namespaces, and the filesystem. This is a real security concern on shared servers, CI runners, and any system where unprivileged users need to launch containers. Podman takes a fundamentally different architecture. Each container is a direct child process of the user that ran `podman run`, with no central daemon. Rootless mode (run as a regular user with user namespaces) means a compromised container does not have root on the host - the UID inside the container maps to an unprivileged UID outside. For multi-tenant or security-sensitive VPSes, this is a substantial improvement. The CLI is nearly identical - `podman run`, `podman pull`, `podman build`, `podman ps` all work the same way. Existing Dockerfiles build identically. Compose files work via `podman compose` or via `podman-compose`. For most workflows, Podman is a drop-in replacement. The places where compatibility breaks are usually around tools that talk directly to the Docker socket (Portainer, some CI integrations) - those need explicit Podman support or a Docker-socket compatibility shim.

The killer feature for VPS use is rootless Podman with systemd user services. You create a regular user, log in as that user, run `podman generate systemd --new --files --name mycontainer`, and Podman writes systemd unit files that start and stop your container as part of the user's systemd session. Combined with `loginctl enable-linger username` so the user's systemd lingers across login sessions, you get auto-restart on boot for containers running entirely without root privileges. This pattern is especially good for personal services on a VPS - a media server, a personal sync server, a self-hosted bookmark manager. Each user account on the VPS owns its own container stack, isolated from other users, with no shared daemon to attack. If one user's container is compromised, the blast radius is the user's namespace only. The downside is that rootless Podman has some limitations. Containers cannot bind to ports below 1024 without extra configuration (use port forwarding from the kernel or set `net.ipv4.ip_unprivileged_port_start=80`). NFS and Fuse mounts inside the container need extra setup. For most workloads, these are not blockers, just things to know up front.

Podman 4.x is in Ubuntu 22.04's main repos. Install: `apt install -y podman podman-compose uidmap slirp4netns fuse-overlayfs`. Verify: `podman --version` should report 3.4 or higher on 22.04 (4.x is in 24.04). For the latest Podman, use the Kubic project repo: `echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_22.04/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list && curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_22.04/Release.key | gpg --dearmor > /etc/apt/trusted.gpg.d/kubic.gpg && apt update && apt install -y podman`. Configure rootless storage. As a regular (non-root) user: `mkdir -p ~/.config/containers && cat > ~/.config/containers/storage.conf <