@Larvitz So the post starts with how podman is great because it supports rootless containers and then goes at length to describe a full example setup of not using rootless containers.

I do struggle with a great setup of podman rootless in production setups. More documentation on that would be much appreciated - like having the full forgejo example just rootless.

@pixelschubsi Even rootful, Podman has the advantage of cleanly forked, seperate processes and the absence of a central daemon. That's already a better security posture than Docker has and it simply feels "cleaner".

I did opt for rootful containers in my setup because of the networking. If I'd run containers in user-contexts, then my Traefik setup with automatic ingress routing based on labels wouldn't work so frictionless, because the networks are user-specific and countainers wouldn't be able to find each other.

I run some containers rootless ($HOME/.config/containers/systemd/*.container), but that's usually not web-applications.