Docker Alternative with Podman

In this tutorial, we install an Ubuntu Linux Server with the latest version 21.04. Instead of Docker, we’re using Podman to containerize our applications, and Cockpit to manage our entire Linux server with a nice graphical web interface. So you can still manage containers on your Linux server easily and securely! And of course, we’re protecting our web interface with trusted SSL certs.

Watch the Video

Why should we want to replace Docker?

If you follow my YouTube Channel and my tutorial, you know that I absolutely love Docker. And I don’t think there is necessarily something bad about it, but still, it’s always good to have alternate options. Podman is a very nice alternative to Docker because it just uses the same syntax.

How to install Podman

You can install Podman on Linux, macOS, or Windows. In our example, because we’re using Ubuntu 21.04, we can just install it from the Ubuntu repository.

sudo apt install podman

For older Ubuntu versions or other Linux Distributions, just follow the official installation instructions.

Linux Server Management with Cockpit

Although Linux servers are often managed via the terminal, sometimes it’s nice to have a web interface. Because you can better see metrics, quickly check events, and so on.

The Cockpit-Project is such a graphical interface. It was originally developed for Red Hat Enterprise Linux and is the default management tool there. Therefore, it also works the best on RHEL based Distributions, but other Distros are also supported. Especially since Ubuntu 21.04, it’s also working very well on Ubuntu.

Install Cockpit on Ubuntu 21.04

Note, if you’re using an older version of Ubuntu, I wouldn’t necessarily recommend upgrading yet. Especially if you are using the LTS version, keep running it. The only package that’s not available in older LTS versions of Ubuntu is the cockpit-podman package. So, my experience is, that it works best with Ubuntu 21.04 and probably newer versions as well.

With the following command, we install Cockpit and the Podman extension.

sudo apt install cockpit cockpit-podman

When the installation was successful, just access it on port 9090. The interface is very easy and intuitive. You can manage your entire Linux server, update packages, set up basic configuration, and manage containers with Podman. Awesome, right?

Manage Podman containers with Podman-Compose

Now, we can start managing Podman containers with Cockpit. It’s nice to get some metrics, restart and stop containers. But to be honest, the Cockpit-Podman extension is missing some crucial features, when creating them. You can’t even edit Container configuration files, once they are deployed. Something that’s possible with Docker and Portainer, for example.

Therefore, I’ve searched for another method to comfortable manage containers in the CLI. And my preferred solution is Podman-Compose, which is an implementation of the Docker-Compose tools with Podman in the backend. It’s a Python script we can simply install via the following commands.

sudo apt install pyton3-pip
pip3 install podman-compose

You can also put this command into your .bashrc or .zshrc file to make it persistent!

export PATH=$PATH:$HOME/.local/bin

Managing Pods and Containers with Podman-Compose is pretty easy, just like Docker-Compose. One difference I’ve recognized is, that you need to create any volume folders first before starting the containers!

Protect Cockpit with a Reverse Proxy

To easily protect Cockpit with trusted SSL certs, we will use the Nginx Proxy Manager. It’s very easy to configure because it also has a web interface. And we can use Podman and Podman-Compose to deploy it simply on our server!

I’ve done several videos and tutorials on Nginx Proxy Manager. If you want to learn more about it and how to deploy it also with Docker, check out my other tutorial.

Change unprivileged ports

Before we can start running Podman containers rootless, we need to configure unprivileged ports. Because by default, Podman doesn’t allow us to expose any ports lower than 1024, without root privileges.

Simply open the /etc/sysctl.conf file and add this line at the end.

net.ipv4.ip_unprivileged_port_start=80

Deploy Nginx Proxy Manager

Let’s create a new project folder.

mkdir -p /opt/npm

Once we have created all folders, create a new compose file called docker-compose.yaml in the directory.

version: '3'

volumes:
  nginxproxymanager-data:
  nginxproxymanager-ssl:
  nginxproxymanager-db:

services:
  nginxproxymanager:
    image: 'jc21/nginx-proxy-manager:latest'
    ports:
      - '80:80'
      - '81:81'
      - '443:443'
    environment:
      DB_MYSQL_HOST: "db"
      DB_MYSQL_PORT: 3306
      DB_MYSQL_USER: "npm"
      DB_MYSQL_PASSWORD: "npm"
      DB_MYSQL_NAME: "npm"
    volumes:
      - nginxproxymanager-data:/data
      - nginxproxymanager-ssl:/etc/letsencrypt
  nginxproxymanager-db:
    image: 'jc21/mariadb-aria:latest'
    environment:
      MYSQL_ROOT_PASSWORD: 'npm'
      MYSQL_DATABASE: 'npm'
      MYSQL_USER: 'npm'
      MYSQL_PASSWORD: 'npm'
    volumes:
      - nginxproxymanager-db:/var/lib/mysql

We can start our services from inside the /opt/npm directory with the following command.

podman-compose up -d

Then you should be able to access the web interface of Nginx Proxy Manager on Port 81.

Authenticate with the default username [email protected] and the default password changeme.

Configure a new Proxy Host

For the Cockpit web interface, we can simply create a new proxy host. This will obtain trusted SSL certificates and expose them securely.

Add a new Proxy Host and make sure you select the port HTTPS because Cockpit is using HTTPS by default. As a Forward Hostname / IP just use the internal or public IP address of your server. If you use the internal IP address, you can limit the listening address of Cockpit later. With this method, you’re disabling access from external networks without going through the reverse proxy!

In this example, I’ve used the public DNS name npm3.the-digital-life.com and forwarded it to the internal IP address of my server, using the Cockpit Port 9090.

Let’s test if we’re able to connect with the domain name. And you can see our connection to Cockpit is now secured via a trusted SSL cert.

Stop listening on Port 9090

Let’s also limit access to our Cockpit Web Interface. Because you could still just use the public IP address on the port 9090 to access Cockpit. If you have used the server’s internal IP address in Nginx Proxy Manager, you can now limit access to this IP address. So that only Nginx Proxy Manager and other internal servers are able to connect to our administrative interface.

Create a new file /etc/systemd/system/cockpit.socket.d/listen.conf and add the following lines.

[Socket]
ListenStream=
ListenStream=<internal-ip-address>:9090
FreeBind=yes

To make these settings active, execute the following commands in the terminal.

sudo systemctl daemon-reload
sudo systemctl restart cockpit.socket

And now you can only access your Cockpit web interface through a secured reverse proxy! I think it’s a nice alternative to Docker. And with the Cockpit UI, you also have a cool, amazing system to manage your Linux server.