<div align="center">
# podup
**docker-compose on rootless Podman — one static Rust binary. No daemon. No Python.**




[](https://github.com/Glyndor/podup/actions/workflows/ci.yml)
[](https://crates.io/crates/podup)
[](Cargo.toml)
[](LICENSE)
[**Website**](https://glyndor.net/projects/podup) · [**Install**](#-install) · [**Quick start**](#-quick-start) · [**Benchmarks**](docs/benchmarks.md) · [**Docs**](docs/)
<img src="docs/assets/podup-demo.gif" alt="podup running a compose stack on rootless Podman" width="760">
</div>
---
## 📥 Install
### Debian / Ubuntu (apt) — recommended
Register the signed Glyndor repository and install — copy-paste:
```bash
curl -fsSLO https://apt.glyndor.net/glyndor-archive-keyring.deb
sudo dpkg -i glyndor-archive-keyring.deb
sudo apt update && sudo apt install podup
```
The keyring package registers `https://apt.glyndor.net` and ships the signing
key, so podup updates (and key renewals) arrive through `apt upgrade` — the apt
build omits self-update since apt owns upgrades. Signed, SHA-256 verified,
fail-closed. Requires **Podman ≥ 5.0** (rootless).
<details>
<summary><b>Other methods — Linux/macOS script · Windows · build from source · self-update · Podman version · platforms</b></summary>
### apt, one-liner (script)
Same as above via the install script (registers the repo, then installs):
```bash
### Linux / macOS (install script)
```bash
### Windows (PowerShell)
```powershell
Both installers verify the Ed25519 signature over `SHA256SUMS` and fail closed
otherwise.
### Build from source
```bash
cargo build --release
```
### Self-update
```bash
podup update # download and install the latest signed release
podup update --check # report whether a newer release exists, install nothing
```
`podup update` replaces the running binary in place only after verifying the
release's Ed25519 signature and SHA-256 checksum — it fails closed otherwise. See
[docs/self-update.md](docs/self-update.md) for the trust model.
### Podman version
podup tracks the **latest stable Podman** and supports its **last two majors —
Podman 5.x and 6.x**. It talks to Podman's native libpod API (still versioned
5.x — 5.2.0 on Podman 6), so it needs **Podman ≥ 5.0**. Validated on **Podman
5.x (5.8.1) and 6.0.0** (the latter in CI against Fedora rawhide). Many distributions still ship 4.x — check
`podman --version` and upgrade if needed. Fedora, Debian trixie/sid and recent
Ubuntu releases carry 5.x; on an older release, install or upgrade Podman
following the official guide: <https://podman.io/docs/installation>.
### Platforms
Linux, macOS and Windows (x86_64 and arm64). On macOS and Windows podup talks to
the `podman machine` VM through its host-side `unix://` socket or `npipe://`
named pipe; the socket must be local (remote `tcp://`/`ssh://` are rejected).
</details>
## 🚀 Quick start
```bash
podup up -d # start the stack in the current directory
podup ps # see what's running
podup down -v # tear down and remove volumes
```
[Every command →](docs/commands.md)
## ⚡ Why
Rootless-native libpod API, real compose-spec (`extends`, profiles,
`develop.watch`, inline secrets), and systemd Quadlet export —
[vs alternatives](docs/benchmarks.md#vs-alternatives) · [Rust library](https://docs.rs/podup).
```mermaid
sequenceDiagram
autonumber
participant Y as docker-compose.yml
participant P as podup
participant L as Podman · libpod REST
Y->>P: parse · substitute · resolve depends_on
P->>L: create networks · volumes · secrets
P->>L: start containers in order
L-->>P: health / status
P-->>Y: stack up
```
## 📊 Benchmarks
<div align="center">
### ~7 MiB flat memory • near-zero CPU • up to 15× faster than podman-compose
<img src="docs/assets/bench.svg" alt="Bar chart: podup uses ~7 MiB vs 69 MiB for podman-compose, and is 7–15x faster per op" width="760">
</div>
Same Podman, same digest-pinned images, median of 10 runs. [Full tables & methodology →](docs/benchmarks.md)
## 📖 Docs
[Commands](docs/commands.md) · [Migrating from Compose](docs/docker-migration.md) · [Benchmarks](docs/benchmarks.md) · [Self-update](docs/self-update.md) · [Security model](docs/security-model.md)
## License
[Apache-2.0](LICENSE) — report vulnerabilities privately via the **Security** tab, never in a public issue.