So, I’ve finally gotten a comfortable setup for my beautiful podman quadlets, its a simple debian system, heavily systemd reliant, and I’m curious about how yall admin such a thing, I’ve got a couple of scripts to create users, skel the home directories, and templates for services.
I’m particularly curious about handling subids, I’m pretty careful about them and not using too too many, mostly for being afraid of running out of them lol. But from what I’ve seen, linux allows you to go real stupid with it, like having a shitton of range and entrances.
I personally give my quad users like 500 subids to work with and they generally work fine, it really depends on if I’m gonna have more than one service running on them or not.


Are you running rootless or rootfull containers?
At least with rootless containers (I have not used roortfull) I think its quite pointless to create separate users for the services, as you could use just the subuids (and/or SELinux) to get container separation, as you already seem to do .
I run my quadlets with uidmap and gidmaps, so I get explicit control of the mappings. It can be a tad tedious at times but I think it’s worth the hassle.
I had no idea you could just use the subids from their respective etc files, I just followed what the podman documentation recommends, I like that the containermapping ids like this is def much simpler than creating users per process, and probably less resource intensive. thanks for sharing ur input :)
I’m also afraid of SELinux, def the way of having a more secure system, but I reaaaaaaally dont wanna get to more docs on linux hahaha.