I'll answer this for you. You want rootless podman because docker is the defacto standard way of packaging non-legacy software now including autoupdates. I know, sad... Podman still does not offer convenient and mature way for systemd to run it with an unprivileged user. It is the only gripe I've had with this approach...
This is no longer true as of Podman 5 and Quadlet?
You can define rootless containers to run under systemd services as unprivileged users. You can use machinectl to login as said user and interact with systemctl.
You see, my issue with this is that it suggests using the quadlets with lingering users... Which is the same annoying case as with the article. It is not as with other systemd services that you just instruct systemd to take a temporary uid/gid and run the service with it.
I really like rootless podman, but there is one quirk in that if you want to preserve the original source IP address (e.g. for web server logs), you have to use a workaround which has a performance penalty.
That workaround is not needed if the web server container supports socket activation. Due to the fork-exec architecture of Podman, the socket-activated socket is inherited by the container process. Network traffic sent over this socket-activated socket has native performance.
https://github.com/containers/podman/blob/main/docs/tutorial...
