Skip to content

Podman Ansible Role

An Ansible role to install, configure, and manage Podman on Debian-based systems.

Features

  • Installation and uninstallation of Podman
  • Configuration of container registries
  • Rootless container support setup (multi-user subuid/subgid + linger)
  • User-specific podman socket enablement
  • Automated testing with hello-world container

Installation

First add the following line to you're requirements.yml file:

roles:
  - name: podman
    src: https://gitlab.com/niclas-zone/tools/ansible/roles/podman.git
    version: 1.6.0
    scm: git

After that, we can install the role by executing the following command

ansible-galaxy install -r requirements.yml --force

Role Variables

Variable Default Value Type Description
podman_state present string State of podman installation (present or absent)
podman_run_test true boolean Run hello-world test after installation
install_podman_compose true boolean Install podman-compose package
podman_use_debian_testing false boolean Install Podman packages from Debian testing repositories
podman_debian_testing_release testing string Apt release name used when installing from Debian testing
podman_debian_testing_sources See defaults list Apt source list entries for Debian testing
podman_debian_testing_pin_priority 100 integer Pin priority for Debian testing packages
podman_socket_users [] list Users that should have the Podman API socket enabled (they're also added to the rootless setup)
podman_socket_group "" string Group for enabling podman socket (optional, leave empty to skip)
podman_rootless_users [] list Additional users to prep for rootless Podman (subuid/subgid) without enabling the socket
podman_rootless_manage_all_users false boolean When true, auto-configure every existing login user (UID >= podman_rootless_manage_all_min_uid) for rootless Podman
podman_rootless_manage_all_min_uid 1000 integer Minimum UID considered when auto-configuring all users
podman_rootless_manage_all_exclude [] list Users to skip when auto-configuring all login users
podman_rootless_manage_all_user_patterns [] list Optional regex patterns; only users whose names match one of these patterns are auto-configured
podman_skip_linger_in_containers false boolean Skip enabling linger when running in containerized/systemd-less environments (used for Molecule/CI)
podman_enable_rootless true boolean Enable rootless container support configuration
podman_subuid_start 100000 integer Starting UID for subuid range for rootless users
podman_subuid_count 65536 integer Number of UIDs in subuid range for rootless users
podman_subgid_start 100000 integer Starting GID for subgid range for rootless users
podman_subgid_count 65536 integer Number of GIDs in subgid range for rootless users
manage_pam_env_conf true boolean sets XDG_RUNTIME_DIR and DBUS_SESSION_BUS_ADDRESS globally at login time
manage_profile_env true boolean drops /etc/profile.d/podman_rootless_env.sh to export XDG_RUNTIME_DIR/DBUS_SESSION_BUS_ADDRESS for shells
podman_registries See below list Container registry configurations
ansible_managed_warning "This file is managed by Ansible. Manual changes will be overwritten." string Warning on each file that has been created by this ansible role
ansible_role_repository https://gitlab.com/niclas-zone/tools/ansible/roles/podman string Link where to change the values

For multi-user hosts, set podman_rootless_manage_all_users: true to automatically grant every login user a subuid/subgid range and lingering user session support. Combine with podman_rootless_manage_all_user_patterns (for example ['^sv-']) to limit automation to specific naming patterns. Otherwise, make sure each user that should run rootless Podman is listed in podman_rootless_users or podman_socket_users.

Debian Testing Packages

Enable Debian testing repositories and install Podman packages from the testing release:

---
- hosts: servers
  become: true
  roles:
    - role: podman
      vars:
        podman_use_debian_testing: true

Override the sources list, release name, or pin priority with podman_debian_testing_sources, podman_debian_testing_release, and podman_debian_testing_pin_priority when needed.

Registry Configuration

The podman_registries variable is a list of dictionaries with the following structure:

Registry Field Type Description
prefix string Registry prefix for matching
registry string Registry URL/hostname
insecure boolean Allow insecure connections to registry
blocked boolean Block access to this registry

Default registries:

podman_registries:
  - prefix: "docker.io"
    registry: "docker.io"
    insecure: false
    blocked: false
  - prefix: "quay.io"
    registry: "quay.io"
    insecure: false
    blocked: false
  - prefix: "registry.gitlab.com"
    registry: "registry.gitlab.com"
    insecure: false
    blocked: false

Example Playbooks

Basic Installation

---
- hosts: servers
  become: true
  roles:
    - role: podman

Install with User Socket Enabled

---
- hosts: servers
  become: true
  roles:
    - role: podman
      vars:
        podman_rootless_users:
          - containers
          - ci
        podman_socket_users:
          - containers

### Rootless Without Socket
---
- hosts: servers
  become: true
  roles:
    - role: podman
      vars:
        podman_rootless_users:
          - automation

Uninstall Podman

---
- hosts: servers
  become: true
  roles:
    - role: podman
      vars:
        podman_state: absent