I went all in on podman compose last year but went all back because off constant permission errors. I thought it was going to be better than docker because I run the containers as a user… but man the amount of time I wasted on files that either I or the container itself or some other container couldn’t read… With docker I felt that stuff just works.

And then there are the extra steps: Enable user lingering, make a systemd service that starts the compose containers (and there is nothing really “native”, it’s a script.) With Docker compose containers just restart if you say so in the file.

There are many great things about podman, will try again in a year or so perhaps?

> I went all in on podman compose last year but went all back because off constant permission errors.

The issue is that "ease of use" and "it just works" come at the expensive of security and the principle of least privilege. Docker makes things easy by running a daemon as root. Rootless Podman forces you to think about permissions and does not stab you in the back by overwriting your firewall rules.

Yes, the firewall rule altering was what drove us to podman! Was kind of weird to find a container's Postgres wide open on 5432 after a `sudo ufw default deny`. Madness really.

But as said below, the permissions issues got to us.

what kind of stuff is in your compose?

Mostly self made containers, also one with Claude-code, but I couldn't for the life of me get it to be able to store and retrieve credentials in an externally mounted folder (~/.claude). I tried everything from fixing the user creation process in the container, `--userns=keep-id`, `--userns=keep-id:uid=1000,gid=1000`, several tags, :Z, :U, `chown`-ing after creation etc. And I keep running into that stuff.

I wish that "run podman containers as a user, rootless" would just simply mean: All the things are also the property of the user, but you get weird uid/guid combos and stuff on your filesystem as owners you never heard of (like www-data, but not that one in particular) due to the mismatches.

If containers can ever simply be run as user like they are a user process, that would be so nice.