Container workloads have long been everyday reality in mid-sized businesses — from reverse proxies to wiki instances to monitoring platforms. For years, the standard answer to “which orchestrator” was simply: Docker Compose. Since Red Hat introduced Quadlets with Podman 4.4 and they are available across practically every current Linux distribution in 2026, a second look is warranted. This article frames both tools from an SMB perspective, compares ecosystem, security and operational model, and shows when a switch makes sense — and when it doesn’t.
Docker Compose: The established standard
Docker Compose has been the de facto tool for declaratively describing multi-container stacks for years. A single docker-compose.yml defines services, volumes, networks and dependencies in one YAML file. docker compose up -d starts the entire stack — clear, fast, documented.
Strengths:
- Massive ecosystem: practically every self-hosting tutorial online uses Compose
- Easy to learn, well documented, countless ready-made stacks on GitHub
- Cross-platform (Linux, Windows, macOS) for developer workflows
- Mature tooling integration (Portainer, Watchtower, Dozzle)
Weaknesses:
- Requires a running Docker daemon that runs as root (single point of failure)
- Rootless mode exists but is fiddly and not the default path
- Separate restart and healthcheck logic alongside systemd
- Logs land in Docker’s own JSON file format, not in journald
- Licensing (Docker Desktop) remains a sore point for enterprises
Podman Quadlets: systemd instead of daemon
Podman takes a fundamentally different approach: there is no central daemon. Containers run directly as child processes of the calling user — rootless by default. Quadlets, stable since Podman 4.4 and rock solid across the 5.x line (in 2026 firmly available in RHEL 9/10, Rocky 9/10, AlmaLinux, Debian 13 Trixie and Ubuntu 24.04 LTS), are the tool of choice for declaratively managing containers via systemd.
A Quadlet is a plain .container file in systemd unit format, translated into a full systemd service unit at startup. The container inherits every systemd feature: restart policies, dependencies, resource limits via cgroups v2, journal logging, socket activation, timer-based starts.
Strengths:
- Rootless by default — no daemon running with root privileges
- Native systemd integration: logs automatically flow into journald
- Restart behaviour, dependencies and resource limits via proven systemd mechanisms
- No central single point of failure
- OCI-compatible: pulls from Docker Hub, Quay, GHCR work unchanged
- Officially supported in RHEL-based distributions — important for compliance
Weaknesses:
- Learning curve, especially for teams who know Compose by heart
- Fewer ready-made tutorials online (but growing visibly)
- Volumes, pods and networks each require their own unit file
- Debugging via
journalctlandsystemctlinstead ofdocker compose logs
Head-to-head comparison
| Feature | Docker Compose | Podman Quadlets |
|---|---|---|
| Daemon | Yes, dockerd as root | No, daemonless |
| Rootless operation | Possible, but a special case | Default |
| Configuration format | YAML (docker-compose.yml) | systemd unit (.container, .volume, .network) |
| Restart logic | restart: unless-stopped in YAML | systemd Restart= directive |
| Logging | JSON file driver, separate tools | journald native, journalctl -u service |
| Healthchecks | Defined in YAML | systemd healthcheck plus unit status |
| Resource limits | YAML fields mapped to cgroups | systemd directives (CPUQuota, MemoryMax) |
| Auto-start | Docker daemon starts all containers | systemd enabled units on boot |
| Ecosystem | Very large, many tutorials | Growing, RHEL world leading |
| Compliance / audit | Daemon complicates auditing | Clean process trees, journald logs |
| Image pulls | Docker Hub, custom registry | Docker Hub, Quay, GHCR — multi-registry |
Structure of a Quadlet file
A .container file typically lives under /etc/containers/systemd/ (system-wide) or ~/.config/containers/systemd/ (rootless per user). The format stays close to classic systemd units:
[Unit]
Description=Nextcloud AIO
After=network-online.target
Wants=network-online.target
[Container]
Image=docker.io/nextcloud/all-in-one:latest
ContainerName=nextcloud-aio
PublishPort=8080:8080
Volume=nextcloud-aio.volume:/mnt/docker-aio-config
Environment=APACHE_PORT=11000
Environment=APACHE_IP_BINDING=0.0.0.0
HealthCmd=/healthcheck.sh
HealthInterval=30s
Memory=4G
CPUQuota=200%
[Service]
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target default.target
After creating the file, systemctl daemon-reload and systemctl start nextcloud-aio.service is enough. Quadlet generates the service unit in the background. Logs are immediately accessible via journalctl -u nextcloud-aio.service -f — no extra log driver, no external tools required.
Real-world example: migrating a 5-service stack
Take a typical SMB stack: Traefik as reverse proxy, Nextcloud for file sharing, Vaultwarden for passwords, Uptime-Kuma for monitoring and a shared PostgreSQL database. The original docker-compose.yml spans around 120 lines of YAML including networks and volumes.
Migrating to Quadlets follows a clear pattern:
- One
.containerfile per service under/etc/containers/systemd/ - One
.volumefile per persistent volume (configs, databases) - A shared
.networkfile for internal communication - Dependencies via
Wants=andAfter=in the units (e.g. Nextcloud after PostgreSQL) - Reverse proxy labels for Traefik directly as
Label=directives in the container block
What was 120 YAML lines becomes roughly 200 lines spread across multiple files — slightly more typing, but clearer per component and properly anchored in systemd. A reboot brings the entire stack up in the correct order without any Docker daemon in between. Backups via Proxmox Backup Server capture the volumes as usual, because the paths remain unchanged.
When does a migration pay off?
Migrate to Quadlets when:
- The host already runs RHEL, Rocky, AlmaLinux or another systemd distribution
- Compliance rules require rootless operation and clean audit trails
- journald is already established as the central log hub
- The Docker daemon as single point of failure causes friction
- Containers need to coexist alongside classic systemd services
Stay with Docker Compose when:
- The team is experienced with Compose and stacks run reliably
- Self-hosting tutorials are meant to be adopted 1:1
- Developers on Windows or macOS use the same stack locally
- Tools like Portainer are mandated for management
- A migration cannot be justified against the current effort-to-benefit ratio
Hybrid strategy for SMBs
In practice we see a staged approach at many customers: productive, long-running services — reverse proxy, mail gateway, backup agent — move to Quadlets because they benefit from journald logging and systemd integration. Development and test stacks stay on Compose because speed and tutorial compatibility matter more there. On a Linux server both worlds run side by side without friction.
For SMBs running their own virtualization on Proxmox VE we recommend deploying new container workloads as Quadlets right away — the initial learning curve pays off quickly through lower maintenance effort. Existing Compose stacks stay put until a version jump or restructuring calls for work anyway.
Conclusion
Docker Compose remains the fastest path to a running container stack in 2026, especially when tutorials and ready-made templates are involved. Podman Quadlets are the strategically more interesting choice the moment production operation, compliance and long-term maintenance take centre stage — rootless by default, native systemd integration and clean journald logging more than offset the initial extra effort. The key takeaway: this isn’t an either-or decision. Both tools coexist happily on the same host.
DATAZONE supports you in assessing your container strategy, migrating existing Compose stacks to Quadlets and operating them safely on Proxmox VE. Contact us — we advise on Linux servers, virtualization and container workloads from a single source.
More on these topics:
More articles
Linux Server Hardening: 15-Minute Checklist
Ten concrete hardening steps for a freshly installed Debian, Ubuntu or Rocky Linux server — SSH, updates, firewall, auditing, sudo, limits, services, NTP, logging, kernel sysctl. With commands, doable in a quarter of an hour.
Nextcloud Hub: Office Alternative On-Prem
Nextcloud Hub as a Microsoft 365 alternative for SMBs: Files, Talk, Office (Collabora), Mail, Calendar, Deck, Forms, Tables. Self-hosting on your own hardware with a TrueNAS backend, AD/LDAP, external storage. Realistic assessment of strengths and limits.
Windows Server 2016 End-of-Life: Migration Options for SMBs
Windows Server 2016 support ends January 2027. Migrate to Server 2025, Linux with Samba AD or Azure ESU -- options and costs compared for SMBs.