Ansible Podman_systemd

Description

Set up Podman Systemd Units for system users and users without root access.

Installation

You also need the following roles, but adding them as dependencies will cause errors:

• linuxhq.sysctl
• notmycloud.yaml2ini
• notmycloud.systemd_unit

IMPORTANT: You must install the toml Python package using pip.

Usage

You need to provide these variables for the role to work properly:

• PODMAN_SYSTEMD_INSTALL_COCKPIT: This installs Cockpit with Podman support.
• PODMAN_SYSTEMD_ALLOW_LOWEST_PORT: This specifies the lowest port an unprivileged user can bind to. Ports below 1024 are usually considered "secure" and limited to trusted users. If this server is shared by many users, it's best to avoid using this option. However, if you manage the server entirely with specific users for each service, this option can help. For non-shared servers, set this to 0.
• PODMAN_SYSTEMD_ALLOW_PING: This allows unprivileged users to use ping.
• PODMAN_SYSTEMD_DEPLOY: Here’s where you configure Podman settings. Create a section for each user with a Systemd unit setup:

PODMAN_SYSTEMD_DEPLOY:
  root:
    etc...
  user1:
    etc...
  user2:
    etc...

User Configuration

The root user will be set up in the standard /etc/systemd/system directory, while other users will be set up in the ~/.config/system/user directory. Here’s an example for an unprivileged user:

debug_log: bool # set to true for task and debug logging
PODMAN_SYSTEMD_DEPLOY:
  myuser:
    config:
      storage:
        storage:
          driver: "overlay"
        # Key:value pairs for storage.conf, saved in the right directory for the user or root.
        # Format follows what is stated by the notmycloud.yaml2ini role.
      containers:
        engine:
          network_cmd_options:
            - "allow_host_loopback=true"
            - "enable_ipv6=true"
          env: 
            - "TMPDIR=$HOME/.cache/tmp/"
        # Key:value pairs for containers.conf, saved in the appropriate directory.
      registries:
        unqualified-search-registries:
          - "docker.io"
          # - "quay.io"
          # - "registry.access.redhat.com"
        registry.mirror:
          - location: "https://mirror.gcr.io"
        # Key:value pairs for registries.conf, saved accordingly.
      login:
        - registry: registry.mydomain.com
          username: registryuser
          password: super$3(r37Password
    systemd:
      enable_socket: # Default is False; enables the Podman API socket for users or system-wide for root.
      containers:
        CONTAINERNAME: 
          podman_options:
            image:
            network: # Defaults to slirp4netns:allow_host_loopback=true,enable_ipv6=true
            replace: # boolean
            restart: # "always"|"no"|"on-failure"|"unless-stopped"; default is no
            remove: # Defaults to yes
            stop_timeout: # Defaults to 60 seconds
            log_driver: # Defaults to Passthrough; view logs in the Journal
            healthcheck:
              cmd:
              interval:
              retries:
              delay:
              timeout:
            environment: # Array of key-value pairs
              key: "value"
            ports: # Format: 0.0.0.0:hostport:containerport
            volumes: 
              - host:
                container:
                options:
                type: # file/directory
            labels: # Array of key-value pairs
              key: "value"
            other_options: # Additional options for podman run
          service_options: # Follow notmycloud.systemd_unit variable depth for UNIT_NAME
      pods:
        PODNAME: 
          pod_service_options: # Follow notmycloud.systemd_unit variable depth for UNIT_NAME
          CONTAINERNAME:
            # Follow PODMAN_SYSTEMD_DEPLOY.USERNAME.systemd.containers.CONTAINERNAME syntax

Other Notes

Podman Socket

• Root socket will be at: /run/podman/podman.sock
• User socket will be at: /run/user/$UID/podman/podman.sock

Container Config Directory

It's recommended to use %E/%N/ as the config root.
This will save configurations in either ~/.config/{service_name}/ or /etc/{service_name}/.
For containers with multiple configuration directories, use %E/%N/config1/, %E/%N/config2/, and so on.

Recommended Other Options

• --init: Run an init process inside the container to manage signals and processes.
• --cap-drop=all: Remove all capabilities, but you may need to add some for the container to function properly.
• --security-opt=no-new-privileges: Prevent container processes from gaining extra privileges.
• --userns=keep-id: Map the container user to the host user ID.

Support

For support, please raise an issue and include:

• A sample task/playbook to replicate the problem
• The resulting file created.