2020-07-22 afbjorklund

Machine Replacement

If you are looking for a replacement for podman-machine or docker-machine,
you can use Vagrant to provision a virtual machine with Fedora or Ubuntu.

Since both podman and docker are now available as standard distro packages, installation is just a yum or an apt away (the deb package is called “”).

Manage as non-root user

If you install the normal package, you will have to use sudo to run it. This becomes a problem, when trying to access the service from remote…

But it is possible to add a system group, to be used instead of root, so that additional users can have socket access - without having to use sudo.

Create the docker group.

$ sudo groupadd docker

Add your user to the docker group.

$ sudo usermod -aG docker $USER

This also means that we can use a unix socket, instead of a tcp port:



We use ssh to access this socket remotely, rather than a separate port.

The group means that we don’t have to log in as root, but as normal user.


Note that being part of this group allows running privileged containers:

Warning: The docker group grants privileges equivalent to the root user.

It is also possible to run rootless containers, but that is not the topic here.

We assume that the user is already part of the sudoers without a password.

Vagrant with VirtualBox

Save to a Vagrantfile, and use vagrant up to boot the virtual machine.

Podman (Fedora)

Vagrant.configure("2") do |config| = "fedora/32-cloud-base"

  config.vm.provider "virtualbox" do |vb|
    vb.memory = "1024"

  config.vm.provision "shell", inline: <<-SHELL
    yum install -y podman

    groupadd -f -r podman

    #systemctl edit podman.socket
    mkdir -p /etc/systemd/system/podman.socket.d
    cat >/etc/systemd/system/podman.socket.d/override.conf <<EOF
    systemctl daemon-reload
    echo "d /run/podman 0770 root podman" > /etc/tmpfiles.d/podman.conf
    systemd-tmpfiles --create

    systemctl enable podman.socket
    systemctl start podman.socket

    usermod -aG podman $SUDO_USER

Docker (Ubuntu)

Vagrant.configure("2") do |config| = "ubuntu/focal64"

  config.vm.provider "virtualbox" do |vb|
    vb.memory = "1024"
    # focal64 bug:
    vb.customize [ "modifyvm", :id, "--uartmode1", "file", File::NULL ]

  config.vm.provision "shell", inline: <<-SHELL
    apt-get update && apt-get install -y

    systemctl disable snapd.socket snapd.service
    systemctl stop snapd.socket snapd.service

    systemctl enable docker.socket docker.service
    systemctl start docker.socket docker.service

    usermod -aG docker $SUDO_USER


The virtual machine has been booted, and systemd has enabled the socket.

You can now use the vagrant ssh command, to access the virtual machine.

vagrant ssh -c "sudo podman version"
vagrant ssh -c "sudo podman info"

Have to use sudo here, or it would still try to run the rootless podman.

vagrant ssh -c "docker version"
vagrant ssh -c "docker info"


By default vagrant uses the “virtualbox” provider, available on all platforms.

It is also possible to use the “libvirt”/kvm provider when running on Linux.

But you probably have to use the “generic” images, from the Vagrant Cloud:

Only the provider changes in the Vagrantfile, provisioning stays the same:

Vagrant.configure("2") do |config| = "generic/fedora32"

  config.vm.provider "libvirt" do |lv|
    lv.memory = "1024"


Configure client

Previously we would use podman varlink or the docker port 2376 to access, but now both of them are using unix sockets over ssh connections instead…

Use vagrant up to start and vagrant ssh-config to see the configuration. Then use variables from this ssh_config, to configure the ssh connection:

Host default
  User vagrant
  Port 2222
  UserKnownHostsFile /dev/null
  StrictHostKeyChecking no
  PasswordAuthentication no
  IdentityFile $PWD/.vagrant/machines/default/virtualbox/private_key
  IdentitiesOnly yes
  LogLevel FATAL

Podman Remote

export CONTAINER_HOST=ssh://vagrant@
export CONTAINER_SSHKEY=$PWD/.vagrant/machines/default/virtualbox/private_key

You currently have to supply the path of the unix socket, or it gets confused:

ssh: rejected: connect failed (open failed)

Note that podman uses CONTAINER_HOST and Containerfile, and not “podman”.

Docker CLI

export DOCKER_HOST=ssh://vagrant@ # /var/run/docker.sock
ssh-add -k .vagrant/machines/default/virtualbox/private_key

When using docker it is not supported to supply the path of the unix socket:

ssh host connection is not valid: extra path after the host

The docker client doesn’t support ssh identity, so the ssh-agent is used here.


To run a rootless podman socket as the user instead, you can use this setup:

Vagrant.configure("2") do |config| = "fedora/32-cloud-base"

  config.vm.provider "virtualbox" do |vb|
    vb.memory = "1024"

  config.vm.provision "shell", privileged: false, inline: <<-SHELL
    sudo yum install -y podman

    systemctl enable --user podman.socket
    systemctl start --user podman.socket
$ export CONTAINER_HOST=ssh://vagrant@
$ export CONTAINER_SSHKEY=$PWD/.vagrant/machines/default/virtualbox/private_key
$ podman-remote --url $CONTAINER_HOST version
Version:      2.0.4
API Version:  1
Go Version:   go1.14.2
Built:        Thu Jan  1 01:00:00 1970
OS/Arch:      linux/amd64

Version:      2.0.4
API Version:  0
Go Version:   go1.14.6
Built:        Thu Jan  1 01:00:00 1970
OS/Arch:      linux/amd64

Previous information: