Chapter 15. Managing containers using the Ansible playbook

Beginning with Podman 4.2, you can use the Podman RHEL System Role to manage Podman configuration, containers, and systemd services which run Podman containers.

RHEL System Roles provide a configuration interface to remotely manage multiple RHEL systems. The interface enables managing system configurations across multiple versions of RHEL, as well as adopting new major releases. For more information, see the Automating system administration by using RHEL System Roles.

15.1. Creating a rootless container with bind mount

You can use the Podman System Role to create rootless containers with bind mount by running an Ansible playbook.

Prerequisites

  • Access and permissions to a control node, which is a system from which Red Hat Ansible Engine configures other systems.

  • On the control node:

    • The rhel-system-roles package is installed.
    • An Ansible inventory file listing the hosts to be managed and any other parameters you want to apply.
Note

The ansible-playbook command is provided by the ansible-core package which should be automatically installed as a dependency of the rhel-system-roles package.

Procedure

  1. Create a new playbook.yml file with the following content: 

    - hosts: all
  vars:
    podman_create_host_directories: true
    podman_firewall:
      - port: 8080-8081/tcp
        state: enabled
      - port: 12340/tcp
        state: enabled
    podman_selinux_ports:
      - ports: 8080-8081
        setype: http_port_t
    podman_kube_specs:
      - state: started
        run_as_user: dbuser
        run_as_group: dbgroup
        kube_file_content:
          apiVersion: v1
          kind: Pod
          metadata:
            name: db
          spec:
            containers:
              - name: db
                image: quay.io/db/db:stable
                ports:
                  - containerPort: 1234
                    hostPort: 12340
                volumeMounts:
                  - mountPath: /var/lib/db:Z
                    name: db
            volumes:
              - name: db
                hostPath:
                  path: /var/lib/db
      - state: started
        run_as_user: webapp
        run_as_group: webapp
        kube_file_src: /path/to/webapp.yml
  roles:
    - linux-system-roles.podman

    This procedure creates a pod with two containers. The podman_kube_specs role variable describes a pod.

    • The run_as_user and run_as_group fields specify that containers are rootless.

    • The kube_file_content field containing a Kubernetes YAML file defines the first container named db. You can generate the Kubernetes YAML file using the podman generate systemd command.

      • The db container is based on the quay.io/db/db:stable container image.
      • The db bind mount maps the /var/lib/db directory on the host to the /var/lib/db directory in the container. The Z flag labels the content with a private unshared label, therefore, only the db container can access the content.
    • The kube_file_src field defines the second container. The content of the /path/to/webapp.yml file on the controller node will be copied to the kube_file field on the managed node.
    • Set the podman_create_host_directories: true to create the directory on the host.

  2. Optional: Verify playbook syntax. 

    # ansible-playbook --syntax-check playbook.yml -i inventory_file

  3. Run the playbook on your inventory file: 

    # ansible-playbook -i inventory_file playbook.yml

Additional resources

15.2. Creating a rootful container with Podman volume

You can use the Podman System Role to create a rootful container with a Podman volume by running an Ansible playbook.

Prerequisites

  • Access and permissions to a control node, which is a system from which Red Hat Ansible Engine configures other systems.

  • On the control node:

    • The rhel-system-roles package is installed.
    • An Ansible inventory file listing the hosts to be managed and any other parameters you want to apply.
  • The ubi8-html-volume volume has been created.
Note

The ansible-playbook command is provided by the ansible-core package which should be automatically installed as a dependency of the rhel-system-roles package.

Procedure

  1. Create a new playbook.yml file with the following content: 

    - hosts: all
  vars:
    podman_firewall:
      - port: 8080/tcp
        state: enabled
    podman_kube_specs:
      - state: started
        kube_file_content:
          apiVersion: v1
          kind: Pod
          metadata:
            name: ubi8-httpd
          spec:
            containers:
              - name: ubi8-httpd
                image: registry.access.redhat.com/ubi8/httpd-24
                ports:
                  - containerPort: 8080
                    hostPort: 8080
                volumeMounts:
                  - mountPath: /var/www/html:Z
                    name: ubi8-html
            volumes:
              - name: ubi8-html
                persistentVolumeClaim:
                  claimName: ubi8-html-volume
  roles:
    - linux-system-roles.podman

    The procedure creates a pod with one container. The podman_kube_specs role variable describes a pod.

    • By default, the Podman role creates rootful containers.

    • The kube_file_content field containing a Kubernetes YAML file defines the container named ubi8-httpd.

      • The ubi8-httpd container is based on the registry.access.redhat.com/ubi8/httpd-24 container image.

        • The ubi8-html-volume maps the /var/www/html directory on the host to the container. The Z flag labels the content with a private unshared label, therefore, only the ubi8-httpd container can access the content.
        • The pod mounts the existing persistent volume named ubi8-html-volume with the mount path /var/www/html.

  2. Optional. Verify playbook syntax. 

    # ansible-playbook --syntax-check playbook.yml -i inventory_file

  3. Run the playbook on your inventory file: 

    # ansible-playbook -i inventory_file playbook.yml

Additional resources