Why Docker is No Longer the Top Choice on CentOS Stream 9?
If you’re using CentOS Stream 9 and still installing Docker out of habit, you might be making things harder for yourself. Red Hat removed Docker from the official repositories long ago, focusing instead on Podman—a superior alternative that is fully compatible with the RHEL ecosystem.
The daemon-based architecture is Docker’s Achilles’ heel. Every command you type must “ask permission” from a process running with root privileges (the Docker daemon). If this daemon hangs, all your containers go down instantly. More dangerously, running with root privileges allows hackers to escalate their control over the physical server if a container is exploited.
I once had a major scare when the Docker daemon on a CentOS 8 server cluster froze. As a result, all client websites crashed, and it took nearly two hours to recover. After that incident, I switched entirely to Podman. It solves these issues completely thanks to its daemonless architecture and the ability to run rootless containers. You can run containers as a regular user without ever needing sudo.
Installing Podman on CentOS Stream 9
Installing Podman on CentOS is incredibly easy because it is a native, first-party tool. You don’t need to add external repositories or deal with complex configurations.
# Update the system
sudo dnf update -y
# Install Podman
sudo dnf install podman podman-docker -yThe podman-docker package creates a symlink. When you type the docker command, the system actually executes podman. This clever trick ensures your old scripts continue to run smoothly without needing any code changes.
Verify the installation with the following command:
podman --versionConfiguring Rootless Containers: A Real Security Shield
This is Podman’s most valuable feature. To allow a regular user to run containers, we need to configure subuid and subgid. Think of this as granting a range of IDs (usually 65,536 IDs) to be mapped inside the container.
Step 1: Check the user’s ID range
Usually, CentOS Stream 9 configures this automatically when a user is created. Check it with this command:
grep $USER /etc/subuid /etc/subgidIf the output is empty, add it manually (replace myuser with your actual username):
sudo usermod --add-subuids 100000-165535 myuser
sudo usermod --add-subgids 100000-165535 myuserStep 2: Keep containers running in the background (Linger)
With rootless Podman, containers might stop when you log out of your SSH session. To keep applications running 24/7 like a service, enable the linger feature:
sudo loginctl enable-linger $USERDeploying Your First Container: A Real-World Test
Let’s try running an Nginx container without using sudo. You will notice that Podman consumes very few resources (often just a few MB of RAM when idle, compared to the hundreds of MB used by the Docker daemon).
# Pull image from registry
podman pull nginx:alpine
# Run container on port 8080
podman run -d --name my-web -p 8080:80 nginx:alpineNote: Rootless mode does not allow binding to ports below 1024 (like 80 or 443) for system security reasons. That is why I used port 8080 in the example above.
Managing Containers Professionally with Systemd
Podman integrates exceptionally well with Systemd. Instead of relying on the sometimes unreliable --restart always flag, Podman generates unit files for Systemd to manage directly.
How to turn the my-web container into a service that starts automatically with the OS:
# Create configuration directory
mkdir -p ~/.config/systemd/user/
cd ~/.config/systemd/user/
# Generate service file
podman generate systemd --name my-web --files --new
# Enable the service
systemctl --user daemon-reload
systemctl --user enable --now container-my-web.serviceNow, you can check the status professionally: systemctl --user status container-my-web.
Two “Classic” Mistakes for Podman Newbies
In practice, users often run into these two issues:
- Permission Denied: When mounting volumes in a rootless container, the internal user is often blocked from writing files. Add the
:Zflag to your mount command to let Podman handle SELinux automatically:-v /data:/app:Z. - Image Source Prompt: Unlike Docker, which defaults to Docker Hub, Podman will ask you to choose between quay.io or docker.io. You can set a default source in the
/etc/containers/registries.conffile to avoid manual selection.
Monitoring System Performance
To see how much CPU and RAM your containers are consuming, use the command:
podman statsIf you prefer a visual web interface, install the Cockpit module. With just one command, you’ll have a sleek container management dashboard:
sudo dnf install cockpit-podman -yAccess https://your-ip:9090, and all your container metrics will be clearly displayed. Switching to Podman on CentOS Stream 9 is not just about following a trend; it is a vital step toward securing your infrastructure and simplifying container management in the long run.
