---
name: Deploy container patterns
description: Hard-won deploy patterns — rootless port 80, credential sync, health checks, image export
type: feedback
---

Container deploy patterns learned from fleet-wide deploy sessions.

**Rootless port 80:** Containers binding port 80 MUST use `--user 0:0`. `NET_BIND_SERVICE` cap doesn't work in rootless Podman.

**Why:** Discovered across multiple containers (FileBrowser, Nextcloud, Vaultwarden, Jellyfin) that `--cap-add NET_BIND_SERVICE` is silently ignored in rootless mode. Only `--user 0:0` works.

**Credential sync:** MariaDB/Postgres only read env vars on FIRST init. If deploy generates new random passwords in `secrets/` but the DB data dir already exists, the DB keeps the OLD password. Fix: either wipe data dir + reinit, or `ALTER USER` to sync.

**Image export:** Always export custom images as INDIVIDUAL tarballs (`podman save -o name.tar`). Combined tarballs corrupt image IDs.

**Health checks:** Every container should have `--health-cmd`. Currently 25+ containers have them.

**How to apply:** Check these patterns in any deploy script changes or new container additions.