blog: Podman and Docker Rootless in DDEV, fixes #453

[stasadev]

The Issue

• Blog: Podman Support for DDEV #453

How This PR Solves The Issue

Adds a blog.

I haven't tested any configuration with Podman Desktop yet, so I don't know if additional configuration is needed there.

Manual Testing Instructions

https://pr-476.ddev-com-fork-previews.pages.dev/blog/podman-and-docker-rootless/

Automated Testing Overview

Related Issue Link(s)

Release/Deployment Notes

[github-actions]

🌐 Fork Preview for PR #476

https://pr-476.ddev-com-fork-previews.pages.dev

This preview updates automatically when you push changes to your fork.

[rfay]

Just starting on this... Since this will come out before v1.25.0, it should mention the v1.25.0 or HEAD requirement to test, right?

[rfay]

Here's my first visit. Congrats on this milestone.

As mentioned, this should probably discourage people from using these options unless they know they need them. Early on it should have a link to normal setup and say "You don't need this unless you think you want it :) "

Now I'll experiment with the various options.

[rfay]

An amazing journey, congratulations!

[rfay]

Maybe add a small statement about why these two features go hand-in-hand, why they developed together.

[rfay]

It is probably worth explaining here that DDEV's traditional support has had its containers run as an unprivileged user, limiting the attack space. DDEV's built-in containers do not use root privileges (although docker itself does need root by default)

[rfay]

Should this say "Linux and WSL2" ?

[rfay]

This is linux-only right? Should mention that.

[rfay]

It's interesting that this is the same classic problem we've had with Docker Desktop for Linux and for a time with virtiofs.

[rfay]

Great section. However, it should encourage standard Docker setup first, with link to the docs, as it's by far the best for local development.

[rfay]

Another comment: One reason people have often requested podman is the belief that it was the only open-source alternative to Docker Desktop. We should clear that up in here, pointing out the there are several other fully open source alternatives on every platform.

[rfay]

This and docs probably need a compatibility table showing all the options and what works etc.

[rfay]

I think we probably need a little more than this. I missed both podman init and podman start. Maybe one of those collapsed sections with basic instructions on macOS and Linux? The majority of our users are macOS, but probably the majority of interested users are on Linux.

[stasadev]

I'll check the formatting options for Markdown here.

[rfay]

I'm not sure if you already have this in there, but the inability to bind to default ports 80/443 is a pretty significant liability for a web developer.

[tyler36]

Just tried installing rootless podman in a isolated WSL Ubuntu environment:

I got a warning "Problem with your Docker provider: installed Podman version 4.9.3 is not supported, please update to version 5.0 or newer."

But it seem Ubuntu old has older versions available(?)

$ sudo nala search podman
...
podman 4.9.3+ds1-1ubuntu0.2 [Ubuntu/noble universe]
└── tool to manage containers and pods

Install Podman Desktop on windows got a "current" version though:

❯ podman -v
podman version 5.7.0

[stasadev]

Summary of Changes from Original Version

• Added release status clarity: now explicitly states support is in DDEV HEAD with GA planned for v1.25.0.
• Added full platform separation: Linux/WSL2, macOS, and Windows now have dedicated sections.
• Added Open Source alternatives to Docker Desktop (Rancher, Lima, Colima, etc).
• Improved rootless security explanation by distinguishing container user vs daemon privileges.
• Moved subuid/subgid setup into the main Podman Rootless configuration flow (more correct).
• Added Docker Rootless loopback/Xdebug fix using RootlessKit environment override.
• Added a full runtime comparison table with features and recommendations.

Content that was shortened or removed

• Removed the full UID/GID failure error log example and explicit recovery command (podman system migrate).
• Removed the explicit privileged ports error message text (rootlessport cannot expose privileged port 80).
• Removed the Arch Linux-specific pacman example for fuse-overlayfs.

Overall Impact

• Documentation is now broader, more accurate, and more structured.
• One-off deep Linux troubleshooting examples were reduced, but no core setup steps were lost.

[stasadev]

I didn't test macOS, hoping for possible improvements or tips from @rfay in this section.

[rfay]

I think this should either be targeted at the v1.25.0 release, or alternately promote it earlier and try to get some people to use HEAD.

It's looking good, I added some more suggestions.

Now I'll try some more manual testing.

[rfay]

Suggested change

	It allows DDEV to work in corporate environments where Docker Desktop is not allowed due to security policies or licensing restrictions.
	It allows DDEV to work in corporate environments where Podman or Rootless Docker are preferred due to security policies or licensing restrictions.

[rfay]

Add a TL;DR with simple statement/link about how to get going.

[rfay]

I think this is great and useful, but should probably move to the bottom. It's too much for most people to absorb, and not directly relevant to getting them going.

[rfay]

Great section. Maybe "Why choose Podman" right after it. Or before it.

[rfay]

Suggested change

Running containers without root privileges is more secure. Traditional Docker and rootful Podman need elevated privileges, which creates security risks in corporate environments where strict security policies apply.

Although DDEV's use of all Docker providers is quite secure, and we run containers as normal users with limited privileges, the rootless approaches to Docker and Podman actually run the *docker daemon* without root privileges, closing additional attack surface. Traditional Docker and rootful Podman daemons need elevated privileges, which creates security risks in corporate environments where strict security policies apply. (Note that DDEV is targeted at local development, where there are few risks of specialized attacks using this vector anyway.)

[rfay]

I guess I'd prefer not to mention DOCKER_HOST, but open to conversation. I think docker contexts are better to use.

[rfay]

I think you had said earlier that podman is innately rootless, so this may need some clarification? Probably we don't even need to cover podman rootful if it has no value.

[rfay]

Suggested change

	Podman Rootless is slower than Docker. See these resources:
	Podman Rootless is significantly slower than Docker. See these resources:

[rfay]

Suggested change

	**Use [standard Docker](https://docs.ddev.com/en/stable/users/install/docker-installation/) if:**
	**Use of the many [standard Docker providers](https://docs.ddev.com/en/stable/users/install/docker-installation/) if:**

[rfay]

Suggested change

	- This is the recommended option for most users
	_This is the recommended option for the vast majority of users._

[rfay]

I got it working fine on macOS and will use it for a while for daily use.

I didn't succeed with Fedora 43. The /mnt/ddev_config was always mounted as root and couldn't be copied at startup time.

I imagine this was something I did wrong.

[rfay]

Is there even a reason to explain podman rootful?

[rfay]

Can we make this a little smarter? Either check whether it exists already in the statement, or make it less obvious? Since it's the first step... everybody will do it, and end up with broken system like I did. I think username:1000:165535 is a great default, but if it has something more specific in there already... remove it? Respect it?