I’m looking for feedback on my unofficial snap package:
Podman is a daemonless, rootless container engine and a drop-in replacement for Docker. It requires no background daemon and no root privileges. In an era where AI workloads are increasingly deployed as OCI containers, rootless operation matters: unprivileged users can build, run, and orchestrate containers without elevated access, reducing the attack surface for inference services, model APIs, and GPU-backed pipelines.
Podman 5.x includes Quadlet, a native mechanism for running
containers as systemd services using declarative .container files. No compose files, no orchestrator daemon, just systemd doing what it
already does. For production deployments this means containers that start on boot, restart on failure, and integrate with the host’s service
management with no additional tooling.
The Snap
m0x41-podman packages Podman v5.8.1 as a classic confinement snap on core22. It bundles all
runtime dependencies (crun, conmon, netavark, aardvark-dns, fuse-overlayfs, slirp4netns, catatonit) so that installation
requires no additional packages beyond uidmap for rootless mode. The install hook places podman on PATH, registers systemd generators
for Quadlet, and installs man pages. Both rootless and rootful operation are supported.
Tested across Ubuntu 22.04, Ubuntu 24.04, Debian 12, CentOS 9 Stream, and Fedora 42.
Packaging Challenges
Packaging Podman as a snap required solving several non-trivial problems. Each is documented with a root cause analysis:
- Library path poisoning: isolating
LD_LIBRARY_PATHso snap-bundled libraries don’t leak into hostsystemdservices - Healthcheck transient units: propagating
LD_LIBRARY_PATHintosystemdtransient units spawned by healthcheck timers - Binary path in generated units:
overriding the snap-internal path in
podman generate systemdoutput viaPODMAN_BINARY - Classic confinement necessity: strict confinement hides
the host’s setuid
newuidmap/newgidmap, breaking rootless operation entirely
Testing and Confidence
My objective measure of “working” is the upstream BATS test suite: 785 tests
covering the full Podman CLI surface. The snap achieves approximately 96% pass rate in root mode and 84% in rootless (excluding
pasta-specific tests that do not apply). Testing was performed in both LXD containers and VMs to ensure host-side effects like network
integrity, library path isolation, systemd health, and reboot survival are validated, not just container-internal behaviour.
The core packaging (snapcraft.yaml, patches, wrappers, hooks, and configs) is around 700 lines. The remaining 7,100+ lines across 44
files are test automation and documentation to prove that it works. Since the first working
snap on 22 March 2026, the project has accumulated 76 commits and an estimated
10,000+ individual test executions across five distributions in both LXD containers and VMs. The upstream source is unmodified beyond two
small patches totalling 72 lines.
Installation
The snap is not available on the Snap Store. A classic confinement request was submitted but not granted. It must be sideloaded from GitHub Releases:
curl -fsSL -o m0x41-podman.snap \
"https://github.com/miah0x41/m0x41-podman/releases/latest/download/m0x41-podman_5.8.1+snap1_amd64.snap"
sudo snap install m0x41-podman.snap --dangerous --classic
The snap should be treated with caution as it is an unofficial package installed with --dangerous. That said, I have two production use
cases running in rootless mode with Quadlet orchestrating OCI containers, and both have been stable.
Source and Adoption
The entire project (snapcraft.yaml, build scripts, test automation, patches, and documentation) is open source under Apache
2.0. Anyone in the community is welcome to fork the repository and maintain a Podman snap under
their own name or as part of an official effort. If a formally maintained Podman snap becomes available on the Store, I will deprecate this
repository in its favour.