Red Hat Training
A Red Hat training course is available for RHEL 8
Chapter 15. Managing containers using the Ansible playbook
With Podman 4.2, you can use the Podman RHEL System Role to manage Podman configuration, containers, and systemd services which run Podman containers.
RHEL System Roles provide a configuration interface to remotely manage multiple RHEL systems. You can use the interface to manage system configurations across multiple versions of RHEL, as well as adopting new major releases. For more information, see the Automating system administration by using RHEL System Roles.
15.1. Creating a rootless container with bind mount
You can use the Podman System Role to create rootless containers with bind mount by running an Ansible playbook and with that, manage your application configuration.
Prerequisites
- Access and permissions to a control node, which is a system from which Red Hat Ansible Engine configures other systems.
On the control node:
-
The
rhel-system-roles
package is installed. - An Ansible inventory file listing the hosts to be managed and any other parameters you want to apply.
-
The
The ansible-playbook
command is provided by the ansible-core
package which should be automatically installed as a dependency of the rhel-system-roles
package.
Procedure
Create a new playbook.yml file with the following content:
- hosts: all vars: podman_create_host_directories: true podman_firewall: - port: 8080-8081/tcp state: enabled - port: 12340/tcp state: enabled podman_selinux_ports: - ports: 8080-8081 setype: http_port_t podman_kube_specs: - state: started run_as_user: dbuser run_as_group: dbgroup kube_file_content: apiVersion: v1 kind: Pod metadata: name: db spec: containers: - name: db image: quay.io/db/db:stable ports: - containerPort: 1234 hostPort: 12340 volumeMounts: - mountPath: /var/lib/db:Z name: db volumes: - name: db hostPath: path: /var/lib/db - state: started run_as_user: webapp run_as_group: webapp kube_file_src: /path/to/webapp.yml roles: - linux-system-roles.podman
This procedure creates a pod with two containers. The
podman_kube_specs
role variable describes a pod.-
The
run_as_user
andrun_as_group
fields specify that containers are rootless. The
kube_file_content
field containing a Kubernetes YAML file defines the first container nameddb
. You can generate the Kubernetes YAML file using thepodman generate systemd
command.-
The
db
container is based on thequay.io/db/db:stable
container image. -
The
db
bind mount maps the/var/lib/db
directory on the host to the/var/lib/db
directory in the container. TheZ
flag labels the content with a private unshared label, therefore, only thedb
container can access the content.
-
The
-
The
kube_file_src
field defines the second container. The content of the/path/to/webapp.yml
file on the controller node will be copied to thekube_file
field on the managed node. -
Set the
podman_create_host_directories: true
to create the directory on the host. This instructs the role to check the kube specification forhostPath
volumes and create those directories on the host. If you need more control over the ownership and permissions, usepodman_host_directories
.
-
The
Optional: Verify playbook syntax.
# ansible-playbook --syntax-check playbook.yml -i inventory_file
Run the playbook on your inventory file:
# ansible-playbook -i inventory_file playbook.yml
Additional resources
-
The
/usr/share/ansible/roles/rhel-system-roles.podman/README.md
file - The Podman System Role documentation
15.2. Creating a rootful container with Podman volume
You can use the Podman System Role to create a rootful container with a Podman volume by running an Ansible playbook and with that, manage your application configuration.
Prerequisites
- Access and permissions to a control node, which is a system from which Red Hat Ansible Engine configures other systems.
On the control node:
-
The
rhel-system-roles
package is installed. - An Ansible inventory file listing the hosts to be managed and any other parameters you want to apply.
-
The
-
The
ubi8-html-volume
volume has been created.
The ansible-playbook
command is provided by the ansible-core
package which should be automatically installed as a dependency of the rhel-system-roles
package.
Procedure
Create a new playbook.yml file with the following content:
- hosts: all vars: podman_firewall: - port: 8080/tcp state: enabled podman_kube_specs: - state: started kube_file_content: apiVersion: v1 kind: Pod metadata: name: ubi8-httpd spec: containers: - name: ubi8-httpd image: registry.access.redhat.com/ubi8/httpd-24 ports: - containerPort: 8080 hostPort: 8080 volumeMounts: - mountPath: /var/www/html:Z name: ubi8-html volumes: - name: ubi8-html persistentVolumeClaim: claimName: ubi8-html-volume roles: - linux-system-roles.podman
The procedure creates a pod with one container. The
podman_kube_specs
role variable describes a pod.- By default, the Podman role creates rootful containers.
The
kube_file_content
field containing a Kubernetes YAML file defines the container namedubi8-httpd
.The
ubi8-httpd
container is based on theregistry.access.redhat.com/ubi8/httpd-24
container image.-
The
ubi8-html-volume
maps the/var/www/html
directory on the host to the container. TheZ
flag labels the content with a private unshared label, therefore, only theubi8-httpd
container can access the content. -
The pod mounts the existing persistent volume named
ubi8-html-volume
with the mount path/var/www/html
.
-
The
Optional: Verify playbook syntax.
# ansible-playbook --syntax-check playbook.yml -i inventory_file
Run the playbook on your inventory file:
# ansible-playbook -i inventory_file playbook.yml
Additional resources
-
The
/usr/share/ansible/roles/rhel-system-roles.podman/README.md
file - The Podman System Role documentation
15.3. Creating a Quadlet application with secrets
You can use the Podman System Role to create a Quadlet application with secrets by running an Ansible playbook.
The podman_quadlet_specs variable
is available beginning with Podman v4.6.
Quadlets work only with rootful containers.
Prerequisites
- Access and permissions to a control node, which is a system from which Red Hat Ansible Engine configures other systems.
On the control node:
-
The
rhel-system-roles
package is installed. - An Ansible inventory file listing the hosts to be managed and any other parameters you want to apply.
- Secrets - you must define the following, preferably using Ansible Vault encrypted variables:
-
root password for MySQL (
"root_password_from_vault"
) -
TLS certificate and key (
"cert_from_vault" and "key_from_vault"
)
-
The
-
The
ansible-playbook
command is provided by theansible-core
package which should be automatically installed as a dependency of therhel-system-roles
package. -
The files used by this example are provided by the
rhel-system-roles
package in/usr/share/ansible/roles/rhel-system-roles.podman/tests/files
and/usr/share/ansible/roles/rhel-system-roles.podman/tests/templates
directories.
Procedure
Create a new playbook.yml file with the following content:
podman_create_host_directories: true podman_activate_systemd_unit: false podman_quadlet_specs: - name: quadlet-demo type: network file_content: | [Network] Subnet=192.168.30.0/24 Gateway=192.168.30.1 Label=app=wordpress - file_src: quadlet-demo-mysql.volume - template_src: quadlet-demo-mysql.container.j2 - file_src: envoy-proxy-configmap.yml - file_src: quadlet-demo.yml - file_src: quadlet-demo.kube activate_systemd_unit: true podman_firewall: - port: 8000/tcp state: enabled - port: 9000/tcp state: enabled podman_secrets: - name: mysql-root-password-container state: present skip_existing: true data: "{{ root_password_from_vault }}" - name: mysql-root-password-kube state: present skip_existing: true data: | apiVersion: v1 data: password: "{{ root_password_from_vault | b64encode }}" kind: Secret metadata: name: mysql-root-password-kube - name: envoy-certificates state: present skip_existing: true data: | apiVersion: v1 data: certificate.key: {{ key_from_vault | b64encode }} certificate.pem: {{ cert_from_vault | b64encode }} kind: Secret metadata: name: envoy-certificates
The procedure creates a WordPress content management system paired with a MySQL database. The
podman_quadlet_specs role
variable defines a set of configurations for the Quadlet, which refers to a group of containers or services that work together in a certain way. It includes the following specifications:-
The Wordpress network is defined by the
quadlet-demo
network unit. -
The volume configuration for MySQL container is defined by the
file_src: quadlet-demo-mysql.volume
field. -
The
template_src: quadlet-demo-mysql.container.j2
field is used to generate a configuration for the MySQL container. -
Two YAML files follow:
file_src: envoy-proxy-configmap.yml
andfile_src: quadlet-demo.yml
. Note that .yml is not a valid Quadlet unit type, therefore these files will just be copied and not processed as a Quadlet specification. -
The Wordpress and envoy proxy containers and configuration are defined by the
file_src: quadlet-demo.kube
field. The kube unit refers to the previous YAML files in the[Kube]
section asYaml=quadlet-demo.yml
andConfigMap=envoy-proxy-configmap.yml
.
-
The Wordpress network is defined by the
Optional: Verify playbook syntax.
# ansible-playbook --syntax-check playbook.yml -i inventory_file
Run the playbook on your inventory file:
# ansible-playbook -i inventory_file playbook.yml
Additional resources
-
The
/usr/share/ansible/roles/rhel-system-roles.podman/README.md
file - The Podman System Role documentation