Podman Global Configuration for Rootless Services

The main design choice was simple: one Unix user per app or service, with rootless Podman as the default runtime model.

That only works well if the global container defaults are boring and predictable.

What mattered most

The important pieces were:

  • a rootless-friendly runtime setup
  • one consistent network backend
  • storage that behaves without elevated privileges
  • user services that can keep running without an interactive login

Those are not glamorous settings, but they decide whether the platform feels stable or improvised.

Why I liked the model

This configuration style gave me:

  • stronger separation between workloads
  • less dependence on a central root-owned daemon
  • easier mapping between Unix ownership and container ownership
  • a cleaner fit for sidecars, Vault agents, and per-service trust material

What I would keep

I would still keep the same broad rule:

  • root installs and defines the platform
  • individual service users own their own containers and state

That is what made the VPS feel like small infrastructure rather than one shared process pile.