Podman Machine can run rootless containers on macOS, but its primary innovation isn’t that it’s rootless, but how it achieves a full Linux environment on macOS without a full-blown VM.
Let’s see it in action. First, we need to install Podman. On macOS, the easiest way is via Homebrew:
brew install podman
Once installed, we can create our Podman machine. This command spins up a lightweight Linux VM using QEMU, configures networking, and sets up the necessary user namespaces for rootless operation.
podman machine init --cpus 2 --memory 2048 --disk-size 20
--cpus 2: Allocates 2 CPU cores to the VM.--memory 2048: Allocates 2048 MB (2 GB) of RAM.--disk-size 20: Allocates a 20 GB virtual disk image.
Now, start the machine:
podman machine start
You’ll see output indicating the machine is starting, and importantly, that it’s ready for rootless commands.
Let’s pull an image and run a container:
podman run -d -p 8080:80 docker.io/library/nginx:latest
This command pulls the latest Nginx image from Docker Hub (Podman can pull from any compatible registry) and starts it in detached mode (-d), mapping port 80 inside the container to port 8080 on your macOS host.
You can verify the running container:
podman ps
And access Nginx by opening http://localhost:8080 in your browser.
The magic behind this is Podman’s use of virtiofs for filesystem sharing and qemu for virtualization. Unlike Docker Desktop which relies on a more heavyweight macOS hypervisor framework, Podman Machine leverages QEMU and a minimal Linux distribution (often Fedora CoreOS) to create a lean, efficient environment. The rootless aspect is achieved through user namespace remapping, where processes inside the container that appear to run as root are actually mapped to a non-privileged user on your macOS host. This significantly enhances security by preventing container escape vulnerabilities from gaining root privileges on your host system.
The Podman machine environment is essentially a self-contained Linux system accessible via a socket. When you run podman commands locally on macOS, they communicate with the Podman service running inside the QEMU VM. This service then manages the containers, images, and volumes within that Linux environment. The virtiofs driver allows for high-performance, shared file system access between your macOS host and the VM, meaning your container volumes can live directly on your macOS filesystem without significant performance penalty.
What most people miss is the exact nature of the podman machine ssh command. It doesn’t just give you a shell into a running VM; it establishes an SSH connection to the rootlesskit daemon running as the user core (or similar depending on the distro) within the Podman machine’s Linux environment. This rootlesskit is what orchestrates the user namespace remapping and the container runtime (like crun or runc) within that isolated Linux userland. So, even though you’re running podman commands from your macOS terminal, the actual container execution and privilege separation happen entirely within the QEMU VM, managed by rootlesskit.
After successfully running containers, the next hurdle is often managing storage and understanding how podman machine mount interacts with your host filesystem.