Podman Ansible Role¶
Installs and configures Podman on Debian- and RedHat-based systems, including rootless support, socket activation, and auto-update timers.
Installation¶
Add to your requirements.yml:
roles:
- name: podman
src: https://gitlab.com/niclas-zone/tools/ansible/roles/podman.git
version: 1.9.0
scm: git
Variables¶
| Variable | Default | Description |
|---|---|---|
podman_state |
present |
present or absent |
podman_run_test |
true |
Run hello-world after install |
podman_install_podman_compose |
true |
Install podman-compose |
podman_socket_users |
[] |
Users to enable the Podman API socket for |
podman_socket_group |
"" |
Optional group for the socket directory |
podman_rootless_users |
[] |
Users to configure for rootless Podman (subuid/subgid) without enabling the socket |
podman_rootless_manage_all_users |
false |
Auto-configure all login users (UID >= podman_rootless_manage_all_min_uid) |
podman_rootless_manage_all_min_uid |
1000 |
Minimum UID for auto-configuration |
podman_rootless_manage_all_exclude |
[] |
Users to skip during auto-configuration |
podman_rootless_manage_all_user_patterns |
[] |
Limit auto-configuration to users matching these regex patterns |
podman_enable_rootless |
true |
Enable rootless support (sysctl, subuid/subgid, linger) |
podman_skip_linger_in_containers |
false |
Skip linger/socket activation in containerized test environments |
podman_subuid_start |
100000 |
Start of subuid range |
podman_subuid_count |
65536 |
Size of subuid range |
podman_subgid_start |
100000 |
Start of subgid range |
podman_subgid_count |
65536 |
Size of subgid range |
manage_pam_env_conf |
true |
Write XDG_RUNTIME_DIR/DBUS_SESSION_BUS_ADDRESS to /etc/security/pam_env.conf |
manage_profile_env |
true |
Drop /etc/profile.d/podman_rootless_env.sh for shell sessions |
podman_registries |
see defaults | Registry list (prefix, registry, insecure, blocked) |
podman_sysctl |
see below | Toggle individual sysctl templates |
podman_auto_update_users |
[] |
Per-user auto-update timer config |
podman_auto_update_system |
{} |
System-level auto-update timer config |
podman_use_debian_testing |
false |
Pull packages from Debian testing |
podman_debian_testing_release |
testing |
Apt release name for Debian testing |
podman_debian_testing_sources |
see defaults | Apt source entries for Debian testing |
podman_debian_testing_pin_priority |
100 |
Pin priority for Debian testing packages |
Sysctl toggles¶
podman_sysctl controls which sysctl templates are rendered. All default to true:
userns_clone— enable unprivileged user namespace cloningmax_user_namespaces— raiseuser.max_user_namespacesunprivileged_port_start— setnet.ipv4.ip_unprivileged_port_start
Auto-update¶
Podman ships podman-auto-update which pulls updated images and recreates containers labelled with io.containers.autoupdate.
Per-user (podman_auto_update_users): list of entries with name (required), enabled (default false), and calendar (default daily). Any systemd OnCalendar expression is accepted.
podman_auto_update_users:
- name: alice
enabled: true
calendar: "daily"
- name: bob
enabled: true
calendar: "*:0/10"
- name: carol
enabled: true
calendar: "Mon *-*-* 03:30:00"
System (podman_auto_update_system): leave as {} to leave the system timer alone. Set enabled: true/false to manage it.
Example Playbooks¶
# Rootless users + socket
- hosts: servers
become: true
roles:
- role: podman
vars:
podman_rootless_users:
- containers
- ci
podman_socket_users:
- containers