Here is a hands-on guide to getting Podman up and running. We will focus on the "Happy Path" of installation and demonstrate the security benefits of running rootless containers immediately.

Prerequisites

• A terminal window.
• Linux Users: You are ready to go natively.
• Mac/Windows Users: Podman runs a small Linux VM in the background (similar to Docker Desktop) to host the containers.

Step 1: Installation

Select your operating system below.

Fedora / CentOS / RHEL (The native home of Podman)
Podman comes pre-installed on many newer versions, but if you need it:

sudo dnf install -y podman

Ubuntu / Debian

sudo apt-get update
sudo apt-get install -y podman

macOS (via Homebrew)

brew install podman
# Initialize the virtual machine (Mac only)
podman machine init
podman machine start

Windows
The easiest method is using the Windows Installer from the Podman website, or via Winget:

winget install RedHat.Podman
# Initialize the machine
podman machine init
podman machine start

Step 2: The Sanity Check

Before running containers, let’s ensure Podman is installed and creating the correct environment.

Run this command:

podman info

What to look for:
Scroll through the output. Look for the line rootless: true.

• If you see true, congratulations! You are running containers as your user, not as the system administrator.
• If you see false, you likely ran the command with sudo. Stop! Do not use sudo with Podman unless you explicitly want to manage system-wide services.

Step 3: Running Your First Service

We will run an Nginx web server.

Because we are running as a standard user (rootless), we have a minor constraint: We cannot bind to ports lower than 1024. Standard ports like 80 or 443 are reserved for root. Instead, we will forward to a high port like 8080.

Execute the following:

podman run -dt -p 8080:80 --name my-secure-web docker.io/library/nginx

Breakdown of the flags:

• -dt: Run in the background (detached) and allocate a pseudo-tty.
• -p 8080:80: Map port 8080 on your machine to port 80 inside the container.
• --name: Give it a human-readable name.
• docker.io/...: Podman requires the full registry path (unlike Docker, which defaults to Docker Hub automatically) to avoid ambiguity/spoofing, though standard installs often alias this for you.

Check if it works by opening your browser to http://localhost:8080 or running:

curl http://localhost:8080

Step 4: The "Magic Trick" (Verifying Rootless Isolation)

This is the most important part of the tutorial. We are going to prove that while the container thinks it is root, your host machine knows better.

1. Ask the container who it is:

podman exec my-secure-web whoami

Output: root
Inside the container, Nginx has full reign.

2. Ask the host machine who owns the process:
We will use podman top to inspect the running process from the host's perspective.

podman top my-secure-web user huser

• user: The user inside the container.
• huser: The user on the host machine.

Output:

USER   HUSER
root   your_username (or UID 1000)

The DevOps takeaway: Even if a hacker compromises Nginx and breaks out of the container, they do not land on your server as root. They land as you (or a sub-user), with limited permissions.

Step 5: Clean Up

Podman commands mirror Docker's, so cleanup is intuitive.

# Stop the container
podman stop my-secure-web

# Remove the container
podman rm my-secure-web

Troubleshooting Tip: "Short Names"

If you tried to run podman run alpine and it failed saying "short name reference," it's because Podman is strict about where it pulls images from.
Fix: Edit /etc/containers/registries.conf to add docker.io to the search list, or simply always use the full name: docker.io/library/alpine.

Next Steps for a DevOps Engineer

Now that you have a running container, we can leverage Podman's Kubernetes integration.

But, that's for the next post.