This role manages podman configuration, containers, and systemd services which
run podman containers.
The role requires the following collections:
containers.podmanfedora.linux_system_rolesUse this to install the collections:
ansible-galaxy collection install -vv -r meta/collection-requirements.yml
This is a list. Each element of the list is a dict describing a podman
container and corresponding systemd unit to manage. The format of the dict is
mostly like the podman_container
module
except for the following:
generate_systemd- If you specify a value oftrue, then the role will create a systemd unit to run the container using the role default variables. Or, you can specify adictin thepodman_containermodule format.generate_systemd.container_prefixis hard-coded tolsr_containergenerate_systemd.separatoris hard-coded to-generate_systemd.pathis hard-coded to/etc/systemd/systemfor root containers, and$HOME/.config/systemd/userfor non-root containersrun_as_user- Use this to specify a per-container user. If you do not specify this, then the global defaultpodman_run_as_uservalue will be used. Otherwise,rootwill be used. NOTE: The user must already exist - the role will not create.run_as_group- Use this to specify a per-container group. If you do not specify this, then the global defaultpodman_run_as_groupvalue will be used. Otherwise,rootwill be used. NOTE: The group must already exist - the role will not create.systemd_unit_scope- The scope to use for the systemd unit. If you do not specify this, then the global defaultpodman_systemd_unit_scopewill be used. Otherwise, the scope will besystemfor root containers, anduserfor user containers.
This is a boolean, default value is false. If true, the role will ensure
host directories specified in host mounts in volume and mount specifications
for the containers in podman_containers. NOTE: Directories must be specified
as absolute paths (for root containers), or paths relative to the home directory
(for non-root containers), in order for the role to manage them. Anything else
will be assumed to be some other sort of volume and will be ignored.
The role will apply its default ownership/permissions to the directories. If you
need to set ownership/permissions, see podman_host_directories.
This is a dict. When using podman_create_host_directories, this tells the
role what permissions/ownership to apply to automatically created host
directories. Each key is the absolute path of host directory to manage. The
value is in the format of the parameters to the file
module.
If you do not specify a value, the role will use its built-in default values. If
you want to specify a value to be used for all host directories, use the special
key DEFAULT.
podman_host_directories:
"/var/lib/data":
owner: dbuser
group: dbgroup
mode: "0600"
DEFAULT:
owner: root
group: root
mode: "0644"The role will use dbuser:dbgroup 0600 for /var/lib/data, and root:root
0644 for all other host directories created by the role.
This is a list of dict in the same format as used by the
fedora.linux_system_role.firewall role. Use this to specify ports that you
want the role to manage in the firewall.
podman_firewall:
- port: 8080/tcpThis is a list of dict in the same format as used by the
fedora.linux_system_role.selinux role. Use this if you want the role to
manage the SELinux policy for ports used by the role.
podman_selinux_ports:
- ports: 8080
protocol: tcp
setype: http_port_tThis is the name of the user to use for all rootless containers. You can also
specify per-container username with run_as_user in podman_containers. NOTE:
The user must already exist - the role will not create.
This is the name of the group to use for all rootless containers. You can also
specify per-container group name with run_as_group in podman_containers.
NOTE: The group must already exist - the role will not create.
This is systemd scope to use by default for all systemd units. You can also
specify per-container scope with systemd_unit_scope in podman_containers. By
default, rootless containers will use user and root containers will use
system.
None
None.
- hosts: all
vars:
podman_create_host_directories: true
podman_firewall:
- port: 8080-8081/tcp
state: enabled
podman_selinux_ports:
- ports: 8080-8081
setype: http_port_t
podman_containers:
- name: my_user_service
image: quay.io/a_service/an_image:v4.1
rm: true
tty: true
volume:
- /var/lib/my_service:/var/www:Z
publish:
- "8080:80"
generate_systemd: true
command: /bin/busybox-extras httpd -f -p 80
workdir: /var/www
run_as_user: dbuser
run_as_group: dbgroup
labels:
io.containers.autoupdate: registry
- name: my_system_service
image: quay.io/another_service/an_image:v4.2
rm: true
tty: true
volume:
- /var/lib/my_service:/var/www:Z
publish:
- "8081:80"
generate_systemd:
restart_policy: always
command: /bin/busybox-extras httpd -f -p 80
workdir: /var/www
labels:
io.containers.autoupdate: registryMIT.
Based on podman-container-systemd by Ilkka Tengvall ilkka.tengvall@iki.fi.
Authors: Adam Miller, Thom Carlin, Valentin Rothberg, Rich Megginson