mail

README.md

@@ -1,355 +1,382 @@
-Podman
+# Podman Role
-======
 
-This Ansible role installs and configures Podman container runtime, and provides comprehensive container, pod, network, and volume management capabilities.
+**Bootstrap containerized applications with Podman in minutes.**
 
-Requirements
+## 🚀 Quick Start
-------------
 
-- Ansible 2.11 or higher
+### 1. Basic Setup
-- Target systems: Ubuntu 20.04+, Debian 11+
-- containers.podman collection (for container management tasks)
-
-Role Variables
---------------
-
-### Installation Variables
-
-* `podman_install_from_repo`: Install from official repositories (default: `true`)
-* `podman_packages`: List of core Podman packages to install
-* `podman_additional_packages`: Additional packages for full container support
-
-### Configuration Variables
-
-* `podman_configure_registries`: Configure container registries (default: `true`)
-* `podman_registries_conf_path`: Path to registries configuration (default: `/etc/containers/registries.conf`)
-* `podman_registries_additional`: Additional registry configurations for special cases
-
-**Note**: Registry configuration is now unified with the image signature policy through `podman_policy_trusted_registries`. Each registry in the policy configuration includes both security settings (signature verification) and registry behavior (insecure, blocked, unqualified search).
-
-* `podman_configure_storage`: Configure storage settings (default: `true`)
-* `podman_storage_conf_path`: Path to storage configuration (default: `/etc/containers/storage.conf`)
-* `podman_storage_driver`: Storage driver to use (default: `overlay`)
-* `podman_storage_runroot`: Runtime storage path (default: `/run/containers/storage`)
-* `podman_storage_graphroot`: Persistent storage path (default: `/var/lib/containers/storage`)
-
-* `podman_configure_policy`: Configure container policy (default: `true`)
-* `podman_policy_path`: Path to policy configuration (default: `/etc/containers/policy.json`)
-
-### Image Signature Policy Variables
-
-* `podman_policy_default_type`: Default policy for unlisted registries (`"insecureAcceptAnything"` or `"reject"`)
-* `podman_policy_reject_unknown_registries`: Reject images from unlisted registries (default: `false`)
-* `podman_policy_trusted_registries`: Unified registry configuration for both policy and registries.conf
-
-Each registry in `podman_policy_trusted_registries` supports:
-
-**Security Policy Options:**
-- `type`: Verification type (`"insecureAcceptAnything"`, `"signedBy"`, `"reject"`)
-- `keyPath`: Path to GPG key file (for `signedBy` type)
-- `keyData`: Inline GPG key data (alternative to `keyPath`)
-
-**Registry Configuration Options:**
-- `insecure`: Allow insecure (HTTP) connections (default: `false`)
-- `blocked`: Block access to this registry (default: `false`)
-- `unqualified_search`: Include in unqualified image searches (default: `true`)
-- `mirror`: List of mirror registries for redundancy/performance
-
-```yaml
-# Unified registry and policy configuration
-podman_policy_trusted_registries:
-  - registry: "docker.io"
-    # Policy settings
-    type: "insecureAcceptAnything"
-    # Registry settings
-    insecure: false
-    blocked: false
-    unqualified_search: true
-  
-  - registry: "internal-registry.company.com"
-    # Policy settings
-    type: "signedBy"
-    keyPath: "/etc/pki/containers/company.gpg"
-    # Registry settings
-    insecure: false
-    blocked: false
-    unqualified_search: true
-    # Mirror configuration
-    mirror:
-      - location: "backup-registry.company.com"
-        insecure: false
-
-# Development configuration (default)
-podman_policy_default_type: "insecureAcceptAnything"
-podman_policy_reject_unknown_registries: false
-
-# Production configuration with signature verification
-podman_policy_default_type: "reject"
-podman_policy_reject_unknown_registries: true
-```
-
-### Service Variables
-
-* `podman_enable_socket`: Enable Podman socket service (default: `false`)
-* `podman_enable_api_service`: Enable Podman API service (default: `false`)
-
-### Container Management Variables
-
-```yaml
-podman_containers:
-  - name: nginx
-    image: docker.io/nginx:latest
-    state: started
-    ports:
-      - "8080:80"
-    volumes:
-      - "/etc/nginx/conf.d:/etc/nginx/conf.d:ro"
-    env:
-      NGINX_HOST: example.com
-    restart_policy: always
-    user: nginx
-    networks:
-      - podman
-    labels:
-      app: webserver
-      version: "1.0"
-```
-
-### Network Management Variables
-
-```yaml
-podman_networks:
-  - name: app-network
-    driver: bridge
-    subnet: "10.89.0.0/24"
-    gateway: "10.89.0.1"
-    state: present
-    internal: false
-    disable_dns: false
-    dns:
-      - "8.8.8.8"
-    options:
-      mtu: 1500
-      vlan: 100
-    ipam_driver: "host-local"
-    interface_name: "podman1"
-    route:
-      - "10.10.0.0/16,192.168.1.1"
-  - name: macvlan-net
-    driver: macvlan
-    macvlan: "eth0"
-    subnet: "192.168.1.0/24"
-  - name: ipv6-net
-    driver: bridge
-    subnet: "fd00::/64"
-    ipv6: true
-    recreate: false
-```
-
-### Volume Management Variables
-
-```yaml
-podman_volumes:
-  - name: app-data
-    state: present
-    driver: local
-    labels:
-      environment: production
-      backup: daily
-    options:
-      - "device=/dev/sdb1"
-      - "type=ext4"
-      - "o=rw"
-  - name: tmpfs-volume
-    state: present
-    driver: tmpfs
-    options:
-      - "tmpfs-size=100m"
-      - "tmpfs-mode=1777"
-  - name: quadlet-volume
-    state: quadlet
-    driver: local
-    quadlet_filename: "custom-volume"
-    quadlet_file_mode: "0640"
-    quadlet_options:
-      - "Group=192"
-      - "Copy=true"
-    recreate: false
-    debug: false
-```
-
-### Pod Management Variables
-
-```yaml
-podman_pods:
-  - name: webapp-pod
-    state: started
-    ports:
-      - "8080:80"
-      - "3306:3306"
-    networks:
-      - frontend
-    hostname: webapp
-    dns:
-      - "8.8.8.8"
-    labels:
-      app: webapp
-      tier: frontend
-    volumes:
-      - "webapp-data:/data"
-    infra: true
-    infra_image: "k8s.gcr.io/pause:3.1"
-    memory: "2g"
-    cpu_shares: "1024"
-    security_opt:
-      - "seccomp=unconfined"
-    add_host:
-      - "database.local:127.0.0.1"
-    share: "net,ipc"
-    userns: "auto"
-    device:
-      - "/dev/sda:/dev/xvda:rwm"
-    sysctl:
-      net.core.somaxconn: "1024"
-    exit_policy: "stop"
-  - name: quadlet-pod
-    state: quadlet
-    quadlet_filename: "custom-pod"
-    quadlet_options:
-      - "AutoUpdate=registry"
-    generate_systemd:
-      path: "/etc/systemd/system"
-      restart_policy: "always"
-```
-
-### Systemd Service Generation
-
-The role can automatically generate systemd service files for containers and pods. This functionality helps in managing container lifecycle through systemd.
-
-* `podman_generate_systemd`: Enable systemd service generation (default: `true`)
-* `podman_systemd_dir`: Directory for generated service files (default: `/etc/systemd/system`)
-
-**Global Systemd Options** (`podman_systemd_options`):
-
-```yaml
-podman_systemd_options:
-  new: true              # Generate new service files
-  force: true           # Overwrite existing files
-  restart_policy: unless-stopped  # Default restart policy
-  time: 120             # Stop timeout in seconds
-  no_header: false      # Include header in service files
-  wants: []             # Systemd unit Wants
-  after: []             # Systemd unit After
-  requires: []          # Systemd unit Requires
-  container_prefix: ""  # Prefix for container service names
-  pod_prefix: ""        # Prefix for pod service names
-  restart_sec: 30       # Restart delay in seconds
-```
-
-**Per-Container/Pod Configuration:**
-
-You can override global systemd options for individual containers or pods:
-
-```yaml
-podman_containers:
-  - name: webapp
-    image: nginx:latest
-    systemd:
-      restart_policy: always
-      after: ["network.target"]
-      wants: ["network-online.target"]
-      restart_sec: 10
-
-podman_pods:
-  - name: database
-    systemd:
-      restart_policy: on-failure
-      requires: ["network.target"]
-      time: 180
-```
-
-When `systemd` is defined for a container or pod, the role will:
-1. Generate a systemd service file
-2. Place it in the specified directory
-3. Reload systemd daemon
-4. (Optional) Enable and start the service
-
-**Note:** Container/pod-specific options take precedence over global options defined in `podman_systemd_options`.
-
-### Resource Pruning
-
-The role can automatically clean up unused Podman resources to free up disk space and maintain system hygiene.
-
-* `podman_prune_enabled`: Enable automatic pruning of unused resources (default: `true`)
-* `podman_prune_options`: Configuration for what should be pruned
-
-```yaml
-podman_prune_options:
-  container: true    # Remove stopped containers
-  image: true        # Remove unused images
-  network: true      # Remove unused networks
-  system: true       # Prune all unused data
-  system_all: true   # Prune all unused data including build cache
-  volume: true       # Remove unused volumes
-```
-
-You can selectively disable certain types of pruning by setting their values to `false`:
-
-```yaml
-podman_prune_options:
-  container: true    # Still remove containers
-  image: false      # Keep all images
-  network: true     # Remove unused networks
-  system: false     # Keep system data
-  system_all: false # Keep build cache
-  volume: false     # Keep all volumes
-```
-
-Dependencies
-------------
-
-* `containers.podman` collection for container management tasks
-
-Example Playbook
-----------------
 
 ```yaml
 - hosts: servers
   roles:
-    - role: keepit.podman
+    - podman
-      vars:
-        podman_enable_socket: true
-        podman_containers:
-          - name: web-server
-            image: nginx:latest
-            state: started
-            ports:
-              - "80:80"
-            volumes:
-              - "/var/www/html:/usr/share/nginx/html:ro"
-        podman_networks:
-          - name: web-network
-            subnet: "172.20.0.0/16"
 ```
 
-Tags
+### 2. Run Your First Container
-----
 
-* `podman` - Run all tasks
+```yaml
-* `podman-install` - Install packages only
+- hosts: servers
-* `podman-configure` - Configure Podman only
+  roles:
-* `podman-services` - Manage services only
+    - role: podman
-* `podman-networks` - Manage networks only
+      vars:
-* `podman-volumes` - Manage volumes only
+        podman_containers:
-* `podman-pods` - Manage pods only
+          - name: nginx
-* `podman-containers` - Manage containers only
+            image: nginx:latest
+            ports:
+              - "80:80"
+```
 
-License
+### 3. Common Patterns
--------
+
+**Web application with database:**
+
+```yaml
+podman_containers:
+  - name: webapp
+    image: myapp:latest
+    ports:
+      - "8080:8080"
+    env:
+      DATABASE_URL: "postgresql://postgres@db:5432/app"
+    
+  - name: postgres
+    image: postgres:15
+    volumes:
+      - "db-data:/var/lib/postgresql/data"
+    env:
+      POSTGRES_DB: app
+      POSTGRES_PASSWORD: secret
+
+podman_volumes:
+  - name: db-data
+```
+
+**That's it!** Podman will be installed, configured, and your containers will be running with systemd services automatically created.
+
+---
+
+## 📋 Requirements
+
+- **Ansible**: 2.11+
+- **Target OS**: Ubuntu 20.04+, Debian 11+
+- **Collection**: `containers.podman` (auto-installed)
+
+---
+
+## 🔧 Configuration Guide
+
+### Management Modes (Quadlet vs Systemd)
+
+This role automatically selects the best management engine based on your operating system version:
+
+- **Quadlet** (Default for Debian 13+): Uses Podman's native systemd generator via `.container` files. This is the modern, preferred method.
+- **Systemd** (Default for Debian < 13): Uses legacy `podman generate systemd` to create service units.
+
+The determination is controlled by the logic in `defaults/main.yml`:
+
+```yaml
+# Auto-detected. True for Debian 13+, False otherwise.
+podman_use_quadlet: "{{ ... }}"
+
+# Sets default state to 'quadlet' or 'started'/'present' accordingly
+podman_mode: ... 
+```
+
+**Recommendation:** Do **not** set `state` explicitly in your variables (e.g., `podman_containers`) unless you have a specific reason. The role's defaults will ensure the correct state is applied for your OS version.
+
+Users can still manually control defaults if needed:
+
+```yaml
+# Force Quadlet usage on older systems (if supported)
+podman_use_quadlet: true
+
+# Or customize default options
+podman_container_defaults:
+  quadlet_options:
+    - "AutoUpdate=registry"
+    - |
+      [Install]
+      WantedBy=default.target
+```
+
+If you prefer the standard imperative approach (similar to `docker run`) regardless of OS, you can override the defaults or set `state: started` on individual items.
+
+### Resource Definition
+
+The variables `podman_containers`, `podman_networks`, `podman_volumes`, and `podman_pods` accept standard parameters from the [containers.podman](https://docs.ansible.com/ansible/latest/collections/containers/podman/index.html) collection.
+
+#### Containers
+
+```yaml
+podman_containers:
+  - name: nginx
+    image: nginx:latest
+    ports: ["80:80"]
+    volumes:
+      - "html_vol:/usr/share/nginx/html"
+      - "./local_conf:/etc/nginx/conf.d:ro"
+    env:
+      NGINX_HOST: example.com
+    # Quadlet-specific options can be added as a list
+    quadlet_options:
+      - "AutoUpdate=registry"
+```
+
+#### Networks
+
+```yaml
+podman_networks:
+  - name: app_net
+    subnet: "10.0.0.0/24"
+    gateway: "10.0.0.1"
+    dns: ["8.8.8.8"]
+```
+
+#### Volumes
+
+```yaml
+podman_volumes:
+  - name: db_data
+    # state defaults to 'quadlet'
+```
+
+#### Pods
+
+```yaml
+podman_pods:
+  - name: app_pod
+    ports: ["8080:80"]
+    share: "net,ipc"
+```
+
+### Advanced Configuration
+
+#### Registry & Security Policy
+
+```yaml
+# Basic registry setup (development)
+podman_policy_default_type: "insecureAcceptAnything"
+podman_policy_reject_unknown_registries: false
+
+# Production security (with signatures)
+podman_policy_default_type: "reject"
+podman_policy_reject_unknown_registries: true
+podman_policy_trusted_registries:
+  - registry: "docker.io"
+    type: "insecureAcceptAnything"
+    unqualified_search: true
+    
+  - registry: "internal.company.com"
+    type: "signedBy"
+    keyPath: "/etc/pki/containers/company.gpg"
+    insecure: false
+    mirror:
+      - location: "backup.company.com"
+
+# Additional registries (for special mirror/proxy configurations)
+podman_registries_additional:
+  - location: "internal-mirror.company.com"
+    insecure: false
+    blocked: false
+    mirror:
+      - location: "docker.io"
+        insecure: false
+```
+
+#### Systemd Service Generation
+
+```yaml
+# Global systemd settings
+podman_generate_systemd: true
+podman_systemd_options:
+  restart_policy: always
+  stop_timeout: 120
+  after: ["network.target"]
+  wants: ["network-online.target"]
+  container_prefix: "container-"
+  pod_prefix: "pod-"
+```
+
+#### Container Defaults
+
+```yaml
+# Auto-remove containers when they exit (applies to all containers unless overridden)
+podman_auto_remove: true
+```
+
+#### Resource Cleanup
+
+```yaml
+# Auto-cleanup unused resources
+podman_prune_enabled: true
+podman_prune_options:
+  container: true    # Remove stopped containers
+  image: true        # Remove unused images
+  network: true      # Remove unused networks
+  volume: true       # Remove unused volumes
+  system: true       # Full system cleanup
+```
+
+#### Storage Configuration
+
+```yaml
+podman_configure_storage: true
+podman_storage_driver: overlay
+podman_storage_graphroot: /var/lib/containers/storage
+podman_storage_runroot: /run/containers/storage
+```
+
+#### API & Socket Services
+
+```yaml
+podman_enable_socket: true      # Enable Podman socket
+podman_enable_api_service: true # Enable REST API
+podman_enable_auto_update: true # Enable automatic container updates
+```
+
+> **Note:** When using `podman_enable_auto_update`, containers must use **fully qualified image names** including the registry (e.g., `docker.io/postgres:15` instead of `postgres:15`) and should have `AutoUpdate=registry` in their `quadlet_options` or be configured with Quadlet state.
+
+---
+
+## 🏷️ Available Tags
+
+Run specific parts of the role:
+
+```bash
+# Install only
+ansible-playbook -t podman-install playbook.yml
+
+# Configure only  
+ansible-playbook -t podman-configure playbook.yml
+
+# Manage containers only
+ansible-playbook -t podman-containers playbook.yml
+
+# Manage networks only
+ansible-playbook -t podman-networks playbook.yml
+```
+
+**Available tags:**
+
+- `podman` - Run everything
+- `podman-install` - Package installation
+- `podman-configure` - Configuration files
+- `podman-services` - System services
+- `podman-networks` - Network management
+- `podman-volumes` - Volume management  
+- `podman-pods` - Pod management
+- `podman-containers` - Container management
+- `podman-systemd` - Systemd service generation
+- `podman-prune` - Resource cleanup
+
+---
+
+## 📚 Example Playbooks
+
+### Development Environment
+
+```yaml
+- hosts: dev-servers
+  roles:
+    - role: podman
+      vars:
+        # Permissive for development
+        podman_policy_default_type: "insecureAcceptAnything"
+        podman_enable_socket: true
+        
+        podman_containers:
+          - name: dev-web
+            image: nginx:latest
+            ports:
+              - "8080:80"
+            volumes:
+              - "./web:/usr/share/nginx/html"
+```
+
+### Production Environment
+
+```yaml
+- hosts: prod-servers
+  roles:
+    - role: podman
+      vars:
+        # Strict security for production
+        podman_policy_default_type: "reject"
+        podman_policy_reject_unknown_registries: true
+        podman_policy_trusted_registries:
+          - registry: "registry.company.com"
+            type: "signedBy"
+            keyPath: "/etc/pki/containers/prod.gpg"
+            
+        podman_containers:
+          - name: prod-app
+            image: registry.company.com/app:v1.2.3
+            restart_policy: always
+            memory: "2g"
+            cpu_shares: 2048
+            healthcheck:
+              test: ["CMD", "curl", "-f", "http://localhost/health"]
+              interval: 30s
+              timeout: 10s
+              retries: 3
+```
+
+### Multi-Service Application
+
+```yaml
+- hosts: app-servers
+  roles:
+    - role: podman
+      vars:
+        podman_networks:
+          - name: app-network
+            subnet: "172.20.0.0/16"
+            
+        podman_volumes:
+          - name: postgres-data
+          - name: redis-data
+          - name: app-uploads
+            
+        podman_containers:
+          # Database
+          - name: postgres
+            image: postgres:15
+            networks:
+              - app-network
+            volumes:
+              - "postgres-data:/var/lib/postgresql/data"
+            env:
+              POSTGRES_DB: myapp
+              POSTGRES_PASSWORD: "{{ vault_db_password }}"
+              
+          # Cache
+          - name: redis
+            image: redis:7-alpine
+            networks:
+              - app-network
+            volumes:
+              - "redis-data:/data"
+              
+          # Application
+          - name: app
+            image: myapp:latest
+            networks:
+              - app-network
+            ports:
+              - "80:8080"
+            volumes:
+              - "app-uploads:/app/uploads"
+            env:
+              DATABASE_URL: "postgresql://postgres:{{ vault_db_password }}@postgres:5432/myapp"
+              REDIS_URL: "redis://redis:6379"
+```
+
+---
+
+## 📄 License
 
 MIT
 
-Author Information
+## 👤 Author
-------------------
 
 Daniel Akulenok <ansible-podman@valid.dk>

defaults/main.yml

@@ -2,7 +2,6 @@
 # defaults file for podman
 
 # Package installation
-podman_install_from_repo: true
 podman_packages:
   - podman
   - crun
@@ -166,15 +165,26 @@ podman_policy_trusted_registries:
 # Service management
 podman_enable_socket: false
 podman_enable_api_service: false
+podman_enable_auto_update: false
+
+# Determine if Quadlet should be used (Debian 13+ or other distros)
+podman_use_quadlet: "{{ not (ansible_distribution | default('Debian') == 'Debian' and ansible_distribution_major_version | default('13') | int < 13) }}"
+podman_mode: "{{ 'quadlet' if podman_use_quadlet else 'started' }}"
 
 # Container management
+podman_container_defaults:
+  state: "{{ podman_mode }}"
+  pull: newer
+  quadlet_options:
+    - "AutoUpdate=registry"
+    - "Pull=newer"
+
 podman_containers: []
 # Example container configurations:
 # podman_containers:
 #   # Basic web server container
 #   - name: nginx
 #     image: docker.io/nginx:latest
-#     state: started
 #     ports:
 #       - "8080:80"
 #     volumes:
@@ -193,7 +203,6 @@ podman_containers: []
 #   # Advanced container with comprehensive configuration
 #   - name: app-server
 #     image: registry.example.com/myapp:v1.2.3
-#     state: started
 #     # Basic runtime options
 #     command: ["/app/start.sh", "--config", "/etc/app/config.yaml"]
 #     entrypoint: "/entrypoint.sh"
@@ -474,6 +483,13 @@ podman_containers: []
 #       - "no-new-privileges=true"
 
 # Network management
+podman_network_defaults:
+  state: "{{ 'quadlet' if podman_use_quadlet else 'present' }}"
+  quadlet_options:
+    - |
+      [Install]
+      WantedBy=default.target
+
 podman_networks: []
 # Example network configuration:
 # podman_networks:
@@ -481,7 +497,6 @@ podman_networks: []
 #     driver: bridge
 #     subnet: "10.89.0.0/24"
 #     gateway: "10.89.0.1"
-#     state: present
 #   - name: frontend-network
 #     driver: bridge
 #     subnet: "172.20.0.0/16"
@@ -509,14 +524,19 @@ podman_networks: []
 #       - "10.10.0.0/16,192.168.1.1"
 
 # Volume management
+podman_volume_defaults:
+  state: "{{ 'quadlet' if podman_use_quadlet else 'present' }}"
+  quadlet_options:
+    - |
+      [Install]
+      WantedBy=default.target
+
 podman_volumes: []
 # Example volume configuration:
 # podman_volumes:
 #   - name: app-data
-#     state: present
 #     driver: local
 #   - name: database-volume
-#     state: present
 #     driver: local
 #     labels:
 #       environment: production
@@ -526,7 +546,6 @@ podman_volumes: []
 #       - "type=ext4"
 #       - "o=rw"
 #   - name: tmpfs-volume
-#     state: present
 #     driver: tmpfs
 #     options:
 #       - "tmpfs-size=100m"
@@ -543,11 +562,17 @@ podman_volumes: []
 #     debug: false
 
 # Pod management
+podman_pod_defaults:
+  state: "{{ podman_mode }}"
+  quadlet_options:
+    - |
+      [Install]
+      WantedBy=default.target
+
 podman_pods: []
 # Example pod configuration:
 # podman_pods:
 #   - name: webapp-pod
-#     state: started
 #     ports:
 #       - "8080:80"
 #       - "3306:3306"
@@ -577,7 +602,6 @@ podman_pods: []
 #     share: "net,ipc"
 #     userns: "auto"
 #   - name: monitoring-pod
-#     state: started
 #     ports:
 #       - "9090:9090"
 #     device:
@@ -613,22 +637,22 @@ podman_pods: []
 #       requires:
 #         - "postgresql.service"
 
+podman_auto_remove: true
 # Systemd service generation configuration
-podman_generate_systemd: true
+podman_generate_systemd: "{{ not podman_use_quadlet }}"
 podman_systemd_dir: /etc/systemd/system
 podman_systemd_options:
   new: true
-  force: true
+  force: false
-  restart_policy: unless-stopped
+  restart_policy: always
-  time: 120
+  stop_timeout: 120
   no_header: false
   separator: ""
   wants: []
   after: []
   requires: []
-  container_prefix: ""
+  container_prefix: "container-"
-  pod_prefix: ""
+  pod_prefix: "pod-"
-  restart_sec: 30
 
 ### Prune Configuration
 podman_prune_enabled: true

handlers/main.yml

@@ -10,3 +10,53 @@
 - name: Reload systemd
   ansible.builtin.systemd:
     daemon_reload: true
+
+- name: Restart Podman networks
+  ansible.builtin.systemd:
+    name: "{{ item }}-network"
+    state: restarted
+  listen: Reload systemd
+  loop: "{{ podman_network_output.results | selectattr('changed', 'equalto', true) | map(attribute='item.name') | list }}"
+  loop_control:
+    label: "{{ item }}"
+  when:
+    - podman_network_output is defined
+    - podman_network_output.results | length > 0
+    - not podman_generate_systemd | bool
+
+- name: Restart Podman volumes
+  ansible.builtin.systemd:
+    name: "{{ item }}-volume"
+    state: restarted
+  listen: Reload systemd
+  loop: "{{ podman_volume_output.results | selectattr('changed', 'equalto', true) | map(attribute='item.name') | list }}"
+  loop_control:
+    label: "{{ item }}"
+  when:
+    - podman_volume_output is defined
+    - podman_volume_output.results | length > 0
+    - not podman_generate_systemd | bool
+
+- name: Restart Podman pods
+  ansible.builtin.systemd:
+    name: "{{ (podman_systemd_options.pod_prefix if podman_generate_systemd | bool else '') ~ item ~ ('-pod' if not podman_generate_systemd | bool else '') }}"
+    state: restarted
+  listen: Reload systemd
+  loop: "{{ podman_pod_output.results | selectattr('changed', 'equalto', true) | map(attribute='item.name') | list }}"
+  loop_control:
+    label: "{{ item }}"
+  when:
+    - podman_pod_output is defined
+    - podman_pod_output.results | length > 0
+
+- name: Restart Podman containers
+  ansible.builtin.systemd:
+    name: "{{ (podman_systemd_options.container_prefix if podman_generate_systemd | bool else '') ~ item }}"
+    state: restarted
+  listen: Reload systemd
+  loop: "{{ podman_container_output.results | selectattr('changed', 'equalto', true) | map(attribute='item.name') | list }}"
+  loop_control:
+    label: "{{ item }}"
+  when:
+    - podman_container_output is defined
+    - podman_container_output.results | length > 0

molecule/default/converge.yml

@@ -1,17 +0,0 @@
----
-- name: Converge - apply podman role
-  hosts: all
-  become: true
-  vars:
-    podman_install_from_repo: true
-    podman_packages:
-      - podman
-    podman_configure_registries: true
-    podman_configure_storage: true
-    podman_configure_policy: true
-    podman_enable_socket: false
-    podman_enable_api_service: false
-    podman_policy_default_type: "insecureAcceptAnything"
-    podman_policy_trusted_registries: []
-  roles:
-    - name: podman

molecule/default/molecule.yml

@@ -1,30 +0,0 @@
----
-dependency:
-  name: galaxy
-driver:
-  name: podman
-platform_defaults: &platform_defaults
-  tmpfs:
-    - /tmp
-    - /run/lock
-  volumes:
-    - /sys/fs/cgroup:/sys/fs/cgroup:ro
-  command: /lib/systemd/systemd
-platforms:
-  - name: debian-bullseye
-    image: docker.io/jrei/systemd-debian:12
-    <<: *platform_defaults
-  - name: debian-bullseye
-    image: docker.io/jrei/systemd-debian:13
-    <<: *platform_defaults
-
-provisioner:
-  name: ansible
-  lint:
-    name: ansible-lint
-verifier:
-  name: ansible
-lint: |
-  set -e
-  ansible-lint .
-  yamllint .

molecule/default/prepare.yml

@@ -1,28 +0,0 @@
----
-- name: Prepare instance for podman role testing
-  hosts: all
-  become: true
-  tasks:
-    - name: Ensure apt cache is up-to-date
-      ansible.builtin.apt:
-        update_cache: yes
-        cache_valid_time: 3600
-
-    - name: Install prerequisites used by the role/tests
-      ansible.builtin.apt:
-        name:
-          - apt-transport-https
-          - ca-certificates
-          - gnupg
-          - lsb-release
-          - curl
-        state: present
-        update_cache: false
-
-    - name: Install python3-venv and python3-pip for testinfra
-      ansible.builtin.apt:
-        name:
-          - python3-pip
-          - python3-venv
-        state: present
-        update_cache: false

molecule/default/requirements.yml

@@ -1,3 +0,0 @@
----
-collections:
-  - name: containers.podman

molecule/default/tests/test_default.py

@@ -1,34 +0,0 @@
-import os
-import testinfra.utils.ansible_runner
-
-# Get hosts from Testinfra inventory created by Molecule
-testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
-    os.environ.get('MOLECULE_INVENTORY_FILE')
-).get_hosts('all')
-
-
-def test_podman_package_installed(host):
-    pkg = host.package("podman")
-    assert pkg.is_installed, "podman package should be installed"
-
-
-def test_podman_binary_executes(host):
-    cmd = host.run("podman --version")
-    assert cmd.rc == 0, f"podman not runnable: {cmd.stderr or cmd.stdout}"
-
-
-def test_containers_conf_exists(host):
-    f = host.file("/etc/containers/registries.conf")
-    assert f.exists, "/etc/containers/registries.conf should exist"
-
-
-def test_policy_json_exists(host):
-    f = host.file("/etc/containers/policy.json")
-    assert f.exists, "/etc/containers/policy.json should exist"
-
-
-def test_podman_config_file_valid_json(host):
-    f = host.file("/etc/containers/policy.json")
-    assert f.exists and f.size > 0
-    cmd = host.run("python3 -c 'import json,sys;json.load(open(\"/etc/containers/policy.json\"))'")
-    assert cmd.rc == 0, "policy.json should be valid JSON"

tasks/configure.yml

@@ -1,6 +1,11 @@
 ---
 # Configure Podman
 
+- name: Install python3-cryptography
+  ansible.builtin.package:
+    name: python3-cryptography
+    state: present
+
 - name: Ensure containers configuration directory exists
   ansible.builtin.file:
     path: /etc/containers

tasks/containers.yml

@@ -2,240 +2,230 @@
 # Manage Podman containers
 
 - name: Manage Podman containers
+  vars:
+    container_item: "{{ podman_container_defaults | default({}) | combine(item) }}"
   containers.podman.podman_container:
-    name: "{{ item.name }}"
+    name: "{{ container_item.name }}"
-    image: "{{ item.image }}"
+    image: "{{ container_item.image }}"
-    state: "{{ item.state | default('present') }}"
+    state: "{{ container_item.state | default('present') }}"
 
     # Basic container configuration
-    command: "{{ item.command | default(omit) }}"
+    command: "{{ container_item.command | default(omit) }}"
-    entrypoint: "{{ item.entrypoint | default(omit) }}"
+    entrypoint: "{{ container_item.entrypoint | default(omit) }}"
-    user: "{{ item.user | default(omit) }}"
+    user: "{{ container_item.user | default(omit) }}"
-    workdir: "{{ item.working_dir | default(omit) }}"
+    workdir: "{{ container_item.working_dir | default(omit) }}"
-    hostname: "{{ item.hostname | default(omit) }}"
+    hostname: "{{ container_item.hostname | default(omit) }}"
 
     # Container runtime options
-    detach: "{{ item.detach | default(true) }}"
+    detach: "{{ container_item.detach | bool | default(omit) }}"
-    interactive: "{{ item.interactive | default(false) }}"
+    interactive: "{{ container_item.interactive | bool | default(omit) }}"
-    tty: "{{ item.tty | default(false) }}"
+    tty: "{{ container_item.tty | bool | default(omit) }}"
-    rm: "{{ item.auto_remove | default(false) }}"
+    rm: "{{ container_item.auto_remove | bool | default(podman_auto_remove) }}"
-    rmi: "{{ item.remove_image | default(false) }}"
+    rmi: "{{ container_item.remove_image | bool | default(omit) }}"
-    privileged: "{{ item.privileged | default(false) }}"
+    privileged: "{{ container_item.privileged | bool | default(omit) }}"
-    read_only: "{{ item.read_only | default(false) }}"
+    read_only: "{{ container_item.read_only | bool | default(omit) }}"
-    read_only_tmpfs: "{{ item.read_only_tmpfs | default(true) }}"
+    read_only_tmpfs: "{{ container_item.read_only_tmpfs | bool | default(omit) }}"
-    init: "{{ item.init | default(false) }}"
+    init: "{{ container_item.init | bool | default(omit) }}"
-    init_path: "{{ item.init_path | default(omit) }}"
+    init_path: "{{ container_item.init_path | default(omit) }}"
 
     # Networking
-    network: "{{ item.networks | default(omit) }}"
+    network: "{{ container_item.networks | default(omit) }}"
-    publish: "{{ item.ports | default(omit) }}"
+    publish: "{{ container_item.ports | default(omit) }}"
-    publish_all: "{{ item.publish_all | default(false) }}"
+    publish_all: "{{ container_item.publish_all | bool | default(omit) }}"
-    expose: "{{ item.expose | default(omit) }}"
+    expose: "{{ container_item.expose | default(omit) }}"
-    ip: "{{ item.ip | default(omit) }}"
+    ip: "{{ container_item.ip | default(omit) }}"
-    ip6: "{{ item.ip6 | default(omit) }}"
+    ip6: "{{ container_item.ip6 | default(omit) }}"
-    mac_address: "{{ item.mac_address | default(omit) }}"
+    mac_address: "{{ container_item.mac_address | default(omit) }}"
-    network_aliases: "{{ item.network_aliases | default(omit) }}"
+    network_aliases: "{{ container_item.network_aliases | default(omit) }}"
-    dns: "{{ item.dns | default(omit) }}"
+    dns: "{{ container_item.dns | default(omit) }}"
-    dns_option: "{{ item.dns_options | default(omit) }}"
+    dns_option: "{{ container_item.dns_options | default(omit) }}"
-    dns_search: "{{ item.dns_search | default(omit) }}"
+    dns_search: "{{ container_item.dns_search | default(omit) }}"
-    etc_hosts: "{{ item.add_hosts | default(omit) }}"
+    etc_hosts: "{{ container_item.add_hosts | default(omit) }}"
-    no_hosts: "{{ item.no_hosts | default(false) }}"
+    no_hosts: "{{ container_item.no_hosts | bool | default(omit) }}"
 
     # Storage and volumes
-    volume: "{{ item.volumes | default(omit) }}"
+    volume: "{{ container_item.volumes | default(omit) }}"
-    volumes_from: "{{ item.volumes_from | default(omit) }}"
+    volumes_from: "{{ container_item.volumes_from | default(omit) }}"
-    mount: "{{ item.mounts | default(omit) }}"
+    mount: "{{ container_item.mounts | default(omit) }}"
-    tmpfs: "{{ item.tmpfs | default(omit) }}"
+    tmpfs: "{{ container_item.tmpfs | default(omit) }}"
-    image_volume: "{{ item.image_volume | default(omit) }}"
+    image_volume: "{{ container_item.image_volume | default(omit) }}"
 
     # Environment variables
-    env: "{{ item.env | default(omit) }}"
+    env: "{{ container_item.env | default(omit) }}"
-    env_file: "{{ item.env_files | default(omit) }}"
+    env_file: "{{ container_item.env_files | default(omit) }}"
-    env_host: "{{ item.env_host | default(false) }}"
+    env_host: "{{ container_item.env_host | bool | default(omit) }}"
-    env_merge: "{{ item.env_merge | default(omit) }}"
+    env_merge: "{{ container_item.env_merge | default(omit) }}"
-    unsetenv: "{{ item.unsetenv | default(omit) }}"
+    unsetenv: "{{ container_item.unsetenv | default(omit) }}"
-    unsetenv_all: "{{ item.unsetenv_all | default(false) }}"
+    unsetenv_all: "{{ container_item.unsetenv_all | bool | default(omit) }}"
 
     # Resource constraints
-    memory: "{{ item.memory | default(omit) }}"
+    memory: "{{ container_item.memory | default(omit) }}"
-    memory_reservation: "{{ item.memory_reservation | default(omit) }}"
+    memory_reservation: "{{ container_item.memory_reservation | default(omit) }}"
-    memory_swap: "{{ item.memory_swap | default(omit) }}"
+    memory_swap: "{{ container_item.memory_swap | default(omit) }}"
-    memory_swappiness: "{{ item.memory_swappiness | default(omit) }}"
+    memory_swappiness: "{{ container_item.memory_swappiness | default(omit) }}"
-    kernel_memory: "{{ item.kernel_memory | default(omit) }}"
+    kernel_memory: "{{ container_item.kernel_memory | default(omit) }}"
-    cpus: "{{ item.cpus | default(omit) }}"
+    cpus: "{{ container_item.cpus | default(omit) }}"
-    cpu_shares: "{{ item.cpu_shares | default(omit) }}"
+    cpu_shares: "{{ container_item.cpu_shares | default(omit) }}"
-    cpu_period: "{{ item.cpu_period | default(omit) }}"
+    cpu_period: "{{ container_item.cpu_period | default(omit) }}"
-    cpu_quota: "{{ item.cpu_quota | default(omit) }}"
+    cpu_quota: "{{ container_item.cpu_quota | default(omit) }}"
-    cpu_rt_period: "{{ item.cpu_rt_period | default(omit) }}"
+    cpu_rt_period: "{{ container_item.cpu_rt_period | default(omit) }}"
-    cpu_rt_runtime: "{{ item.cpu_rt_runtime | default(omit) }}"
+    cpu_rt_runtime: "{{ container_item.cpu_rt_runtime | default(omit) }}"
-    cpuset_cpus: "{{ item.cpuset_cpus | default(omit) }}"
+    cpuset_cpus: "{{ container_item.cpuset_cpus | default(omit) }}"
-    cpuset_mems: "{{ item.cpuset_mems | default(omit) }}"
+    cpuset_mems: "{{ container_item.cpuset_mems | default(omit) }}"
-    blkio_weight: "{{ item.blkio_weight | default(omit) }}"
+    blkio_weight: "{{ container_item.blkio_weight | default(omit) }}"
-    blkio_weight_device: "{{ item.blkio_weight_device | default(omit) }}"
+    blkio_weight_device: "{{ container_item.blkio_weight_device | default(omit) }}"
-    oom_kill_disable: "{{ item.oom_kill_disable | default(false) }}"
+    oom_kill_disable: "{{ container_item.oom_kill_disable | bool | default(omit) }}"
-    oom_score_adj: "{{ item.oom_score_adj | default(omit) }}"
+    oom_score_adj: "{{ container_item.oom_score_adj | default(omit) }}"
-    pids_limit: "{{ item.pids_limit | default(omit) }}"
+    pids_limit: "{{ container_item.pids_limit | default(omit) }}"
 
     # Device access
-    device: "{{ item.devices | default(omit) }}"
+    device: "{{ container_item.devices | default(omit) }}"
-    device_cgroup_rule: "{{ item.device_cgroup_rule | default(omit) }}"
+    device_cgroup_rule: "{{ container_item.device_cgroup_rule | default(omit) }}"
-    device_read_bps: "{{ item.device_read_bps | default(omit) }}"
+    device_read_bps: "{{ container_item.device_read_bps | default(omit) }}"
-    device_read_iops: "{{ item.device_read_iops | default(omit) }}"
+    device_read_iops: "{{ container_item.device_read_iops | default(omit) }}"
-    device_write_bps: "{{ item.device_write_bps | default(omit) }}"
+    device_write_bps: "{{ container_item.device_write_bps | default(omit) }}"
-    device_write_iops: "{{ item.device_write_iops | default(omit) }}"
+    device_write_iops: "{{ container_item.device_write_iops | default(omit) }}"
-    gpus: "{{ item.gpus | default(omit) }}"
+    gpus: "{{ container_item.gpus | default(omit) }}"
 
     # Security options
-    security_opt: "{{ item.security_opt | default(omit) }}"
+    security_opt: "{{ container_item.security_opt | default(omit) }}"
-    cap_add: "{{ item.cap_add | default(omit) }}"
+    cap_add: "{{ container_item.cap_add | default(omit) }}"
-    cap_drop: "{{ item.cap_drop | default(omit) }}"
+    cap_drop: "{{ container_item.cap_drop | default(omit) }}"
-    seccomp_policy: "{{ item.seccomp_policy | default(omit) }}"
+    seccomp_policy: "{{ container_item.seccomp_policy | default(omit) }}"
-    userns: "{{ item.userns | default(omit) }}"
+    userns: "{{ container_item.userns | default(omit) }}"
-    uidmap: "{{ item.uidmap | default(omit) }}"
+    uidmap: "{{ container_item.uidmap | default(omit) }}"
-    gidmap: "{{ item.gidmap | default(omit) }}"
+    gidmap: "{{ container_item.gidmap | default(omit) }}"
-    subuidname: "{{ item.subuidname | default(omit) }}"
+    subuidname: "{{ container_item.subuidname | default(omit) }}"
-    subgidname: "{{ item.subgidname | default(omit) }}"
+    subgidname: "{{ container_item.subgidname | default(omit) }}"
-    group_add: "{{ item.groups | default(omit) }}"
+    group_add: "{{ container_item.groups | default(omit) }}"
-    group_entry: "{{ item.group_entry | default(omit) }}"
+    group_entry: "{{ container_item.group_entry | default(omit) }}"
-    passwd: "{{ item.passwd | default(omit) }}"
+    passwd: "{{ container_item.passwd | default(omit) }}"
-    passwd_entry: "{{ item.passwd_entry | default(omit) }}"
+    passwd_entry: "{{ container_item.passwd_entry | default(omit) }}"
 
     # Namespaces
-    ipc: "{{ item.ipc_mode | default(omit) }}"
+    ipc: "{{ container_item.ipc_mode | default(omit) }}"
-    pid: "{{ item.pid_mode | default(omit) }}"
+    pid: "{{ container_item.pid_mode | default(omit) }}"
-    uts: "{{ item.uts | default(omit) }}"
+    uts: "{{ container_item.uts | default(omit) }}"
-    cgroupns: "{{ item.cgroupns | default(omit) }}"
+    cgroupns: "{{ container_item.cgroupns | default(omit) }}"
 
     # Cgroups
-    cgroups: "{{ item.cgroups | default(omit) }}"
+    cgroups: "{{ container_item.cgroups | default(omit) }}"
-    cgroup_parent: "{{ item.cgroup_parent | default(omit) }}"
+    cgroup_parent: "{{ container_item.cgroup_parent | default(omit) }}"
-    cgroup_conf: "{{ item.cgroup_conf | default(omit) }}"
+    cgroup_conf: "{{ container_item.cgroup_conf | default(omit) }}"
 
     # System configuration
-    sysctl: "{{ item.sysctl | default(omit) }}"
+    sysctl: "{{ container_item.sysctl | default(omit) }}"
-    systemd: "{{ item.systemd | default(omit) }}"
+    systemd: "{{ container_item.systemd | default(omit) }}"
-    ulimit: "{{ item.ulimits | default(omit) }}"
+    ulimit: "{{ container_item.ulimits | default(omit) }}"
-    umask: "{{ item.umask | default(omit) }}"
+    umask: "{{ container_item.umask | default(omit) }}"
 
     # Shared memory and tmpfs
-    shm_size: "{{ item.shm_size | default(omit) }}"
+    shm_size: "{{ container_item.shm_size | default(omit) }}"
-    shm_size_systemd: "{{ item.shm_size_systemd | default(omit) }}"
+    shm_size_systemd: "{{ container_item.shm_size_systemd | default(omit) }}"
 
     # Pods
-    pod: "{{ item.pod | default(omit) }}"
+    pod: "{{ container_item.pod | default(omit) }}"
-    pod_id_file: "{{ item.pod_id_file | default(omit) }}"
+    pod_id_file: "{{ container_item.pod_id_file | default(omit) }}"
 
     # Logging
-    log_driver: "{{ item.log_driver | default(omit) }}"
+    log_driver: "{{ container_item.log_driver | default(omit) }}"
-    log_opt: "{{ item.log_options | default(omit) }}"
+    log_opt: "{{ container_item.log_options | default(omit) }}"
-    log_level: "{{ item.log_level | default(omit) }}"
+    log_level: "{{ container_item.log_level | default(omit) }}"
 
     # Health checks
-    healthcheck: "{{ item.healthcheck | default(omit) }}"
+    healthcheck: "{{ container_item.healthcheck | default(omit) }}"
-    healthcheck_interval: "{{ item.healthcheck_interval | default(omit) }}"
+    healthcheck_interval: "{{ container_item.healthcheck_interval | default(omit) }}"
-    healthcheck_timeout: "{{ item.healthcheck_timeout | default(omit) }}"
+    healthcheck_timeout: "{{ container_item.healthcheck_timeout | default(omit) }}"
-    healthcheck_start_period: "{{ item.healthcheck_start_period | default(omit) }}"
+    healthcheck_start_period: "{{ container_item.healthcheck_start_period | default(omit) }}"
-    healthcheck_retries: "{{ item.healthcheck_retries | default(omit) }}"
+    healthcheck_retries: "{{ container_item.healthcheck_retries | default(omit) }}"
-    healthcheck_failure_action: "{{ item.healthcheck_failure_action | default(omit) }}"
+    healthcheck_failure_action: "{{ container_item.healthcheck_failure_action | default(omit) }}"
-    no_healthcheck: "{{ item.no_healthcheck | default(false) }}"
+    no_healthcheck: "{{ container_item.no_healthcheck | bool | default(omit) }}"
 
     # Startup health checks
-    health_startup_cmd: "{{ item.health_startup_cmd | default(omit) }}"
+    health_startup_cmd: "{{ container_item.health_startup_cmd | default(omit) }}"
-    health_startup_interval: "{{ item.health_startup_interval | default(omit) }}"
+    health_startup_interval: "{{ container_item.health_startup_interval | default(omit) }}"
-    health_startup_timeout: "{{ item.health_startup_timeout | default(omit) }}"
+    health_startup_timeout: "{{ container_item.health_startup_timeout | default(omit) }}"
-    health_startup_retries: "{{ item.health_startup_retries | default(omit) }}"
+    health_startup_retries: "{{ container_item.health_startup_retries | default(omit) }}"
-    health_startup_success: "{{ item.health_startup_success | default(omit) }}"
+    health_startup_success: "{{ container_item.health_startup_success | default(omit) }}"
 
     # Metadata and labels
-    label: "{{ item.labels | default(omit) }}"
+    label: "{{ container_item.labels | default(omit) }}"
-    label_file: "{{ item.label_file | default(omit) }}"
+    label_file: "{{ container_item.label_file | default(omit) }}"
-    annotation: "{{ item.annotations | default(omit) }}"
+    annotation: "{{ container_item.annotations | default(omit) }}"
 
     # Container lifecycle
-    restart_policy: "{{ item.restart_policy | default('no') }}"
+    restart_policy: "{{ container_item.restart_policy | default(omit) }}"
-    restart_time: "{{ item.restart_time | default(omit) }}"
+    restart_time: "{{ container_item.restart_time | default(omit) }}"
-    stop_signal: "{{ item.stop_signal | default(omit) }}"
+    stop_signal: "{{ container_item.stop_signal | default(omit) }}"
-    stop_time: "{{ item.stop_time | default(omit) }}"
+    stop_time: "{{ container_item.stop_time | default(omit) }}"
-    stop_timeout: "{{ item.stop_timeout | default(omit) }}"
+    stop_timeout: "{{ container_item.stop_timeout | default(omit) }}"
-    timeout: "{{ item.timeout | default(omit) }}"
+    timeout: "{{ container_item.timeout | default(omit) }}"
 
     # Pull and image options
-    pull: "{{ item.pull | default('missing') }}"
+    pull: "{{ container_item.pull | default(omit) }}"
-    image_strict: "{{ item.image_strict | default(false) }}"
+    image_strict: "{{ container_item.image_strict | bool | default(omit) }}"
-    arch: "{{ item.arch | default(omit) }}"
+    arch: "{{ container_item.arch | default(omit) }}"
-    os: "{{ item.os | default(omit) }}"
+    os: "{{ container_item.os | default(omit) }}"
-    platform: "{{ item.platform | default(omit) }}"
+    platform: "{{ container_item.platform | default(omit) }}"
-    variant: "{{ item.variant | default(omit) }}"
+    variant: "{{ container_item.variant | default(omit) }}"
 
     # Registry and authentication
-    authfile: "{{ item.authfile | default(omit) }}"
+    authfile: "{{ container_item.authfile | default(omit) }}"
-    tls_verify: "{{ item.tls_verify | default(omit) }}"
+    tls_verify: "{{ container_item.tls_verify | default(omit) }}"
-    decryption_key: "{{ item.decryption_key | default(omit) }}"
+    decryption_key: "{{ container_item.decryption_key | default(omit) }}"
 
     # File operations
-    cidfile: "{{ item.cidfile | default(omit) }}"
+    cidfile: "{{ container_item.cidfile | default(omit) }}"
-    conmon_pidfile: "{{ item.conmon_pidfile | default(omit) }}"
+    conmon_pidfile: "{{ container_item.conmon_pidfile | default(omit) }}"
-    pid_file: "{{ item.pid_file | default(omit) }}"
+    pid_file: "{{ container_item.pid_file | default(omit) }}"
 
     # Special options
-    attach: "{{ item.attach | default(omit) }}"
+    attach: "{{ container_item.attach | default(omit) }}"
-    detach_keys: "{{ item.detach_keys | default(omit) }}"
+    detach_keys: "{{ container_item.detach_keys | default(omit) }}"
-    sig_proxy: "{{ item.sig_proxy | default(true) }}"
+    sig_proxy: "{{ container_item.sig_proxy | bool | default(omit) }}"
-    http_proxy: "{{ item.http_proxy | default(true) }}"
+    http_proxy: "{{ container_item.http_proxy | bool | default(omit) }}"
 
     # Advanced options
-    chrootdirs: "{{ item.chrootdirs | default(omit) }}"
+    chrootdirs: "{{ container_item.chrootdirs | default(omit) }}"
-    hooks_dir: "{{ item.hooks_dir | default(omit) }}"
+    hooks_dir: "{{ container_item.hooks_dir | default(omit) }}"
-    hostuser: "{{ item.hostuser | default(omit) }}"
+    hostuser: "{{ container_item.hostuser | default(omit) }}"
-    init_ctr: "{{ item.init_ctr | default(omit) }}"
+    init_ctr: "{{ container_item.init_ctr | default(omit) }}"
-    personality: "{{ item.personality | default(omit) }}"
+    personality: "{{ container_item.personality | default(omit) }}"
-    preserve_fd: "{{ item.preserve_fd | default(omit) }}"
+    preserve_fd: "{{ container_item.preserve_fd | default(omit) }}"
-    preserve_fds: "{{ item.preserve_fds | default(omit) }}"
+    preserve_fds: "{{ container_item.preserve_fds | default(omit) }}"
-    rdt_class: "{{ item.rdt_class | default(omit) }}"
+    rdt_class: "{{ container_item.rdt_class | default(omit) }}"
-    requires: "{{ item.requires | default(omit) }}"
+    requires: "{{ container_item.requires | default(omit) }}"
-    rootfs: "{{ item.rootfs | default(false) }}"
+    rootfs: "{{ container_item.rootfs | bool | default(omit) }}"
-    sdnotify: "{{ item.sdnotify | default(omit) }}"
+    sdnotify: "{{ container_item.sdnotify | default(omit) }}"
-    secrets: "{{ item.secrets | default(omit) }}"
+    secrets: "{{ container_item.secrets | default(omit) }}"
-    timezone: "{{ item.timezone | default(omit) }}"
+    timezone: "{{ container_item.timezone | default(omit) }}"
 
     # Retry options
-    retry: "{{ item.retry | default(omit) }}"
+    retry: "{{ container_item.retry | default(omit) }}"
-    retry_delay: "{{ item.retry_delay | default(omit) }}"
+    retry_delay: "{{ container_item.retry_delay | default(omit) }}"
 
     # Systemd generation
-    generate_systemd: "{{ item.generate_systemd | default(omit) }}"
+    generate_systemd: "{{ container_item.generate_systemd | default(omit) }}"
 
     # Quadlet options
-    quadlet_dir: "{{ item.quadlet_dir | default(omit) }}"
+    quadlet_dir: "{{ container_item.quadlet_dir | default(omit) }}"
-    quadlet_filename: "{{ item.quadlet_filename | default(omit) }}"
+    quadlet_filename: "{{ container_item.quadlet_filename | default(omit) }}"
-    quadlet_file_mode: "{{ item.quadlet_file_mode | default(omit) }}"
+    quadlet_file_mode: "{{ container_item.quadlet_file_mode | default(omit) }}"
-    quadlet_options: "{{ item.quadlet_options | default(omit) }}"
+    quadlet_options: "{{ container_item.quadlet_options | default(omit) }}"
 
     # Control options
-    cmd_args: "{{ item.cmd_args | default(omit) }}"
+    cmd_args: "{{ container_item.cmd_args | default(omit) }}"
-    executable: "{{ item.executable | default('podman') }}"
+    executable: "{{ container_item.executable | default('podman') }}"
-    recreate: "{{ item.recreate | default(false) }}"
+    recreate: "{{ container_item.recreate | bool | default(omit) }}"
-    force_restart: "{{ item.force_restart | default(false) }}"
+    force_restart: "{{ container_item.force_restart | bool | default(omit) }}"
-    force_delete: "{{ item.force_delete | default(true) }}"
+    force_delete: "{{ container_item.force_delete | bool | default(omit) }}"
-    delete_depend: "{{ item.delete_depend | default(false) }}"
+    delete_depend: "{{ container_item.delete_depend | bool | default(omit) }}"
-    delete_time: "{{ item.delete_time | default(omit) }}"
+    delete_time: "{{ container_item.delete_time | default(omit) }}"
-    delete_volumes: "{{ item.delete_volumes | default(false) }}"
+    delete_volumes: "{{ container_item.delete_volumes | bool | default(omit) }}"
-    debug: "{{ item.debug | default(false) }}"
+    debug: "{{ container_item.debug | bool | default(omit) }}"
   loop: "{{ podman_containers }}"
   loop_control:
     label: "{{ item.name }}"
-  register: podman_container_results
+  register: podman_container_output
-
+  notify:
-- name: Enable and start container systemd services
+    - Reload systemd
-  ansible.builtin.systemd:
-    name: "container-{{ item.item.name }}"
-    enabled: true
-    state: started
-    daemon_reload: true
-  loop: "{{ podman_container_results.results }}"
-  loop_control:
-    label: "{{ item.item.name }}"
-  when:
-    - item.item.generate_systemd is defined
-    - item.item.generate_systemd
-    - item.item.state | default('present') in ['present', 'started']

tasks/install.yml

@@ -4,7 +4,6 @@
 - name: Update package cache (Debian/Ubuntu)
   ansible.builtin.apt:
     cache_valid_time: 3600
-  when: ansible_os_family == "Debian"
 
 - name: Install Podman and related packages
   ansible.builtin.package:

tasks/networks.yml

@@ -2,24 +2,33 @@
 # Manage Podman networks
 
 - name: Manage Podman networks
+  vars:
+    network_item: "{{ podman_network_defaults | default({}) | combine(item) }}"
   containers.podman.podman_network:
-    name: "{{ item.name }}"
+    name: "{{ network_item.name }}"
-    state: "{{ item.state | default('present') }}"
+    state: "{{ network_item.state | default('present') }}"
-    driver: "{{ item.driver | default('bridge') }}"
+    driver: "{{ network_item.driver | default('bridge') }}"
-    subnet: "{{ item.subnet | default(omit) }}"
+    subnet: "{{ network_item.subnet | default(omit) }}"
-    gateway: "{{ item.gateway | default(omit) }}"
+    gateway: "{{ network_item.gateway | default(omit) }}"
-    ip_range: "{{ item.ip_range | default(omit) }}"
+    ip_range: "{{ network_item.ip_range | default(omit) }}"
-    disable_dns: "{{ item.disable_dns | default(false) }}"
+    disable_dns: "{{ network_item.disable_dns | bool | default(omit) }}"
-    internal: "{{ item.internal | default(false) }}"
+    internal: "{{ network_item.internal | bool | default(omit) }}"
-    opt: "{{ item.options | default(omit) }}"
+    opt: "{{ network_item.options | default(omit) }}"
-    dns: "{{ item.dns | default(omit) }}"
+    dns: "{{ network_item.dns | default(omit) }}"
-    interface_name: "{{ item.interface_name | default(omit) }}"
+    interface_name: "{{ network_item.interface_name | default(omit) }}"
-    ipam_driver: "{{ item.ipam_driver | default(omit) }}"
+    ipam_driver: "{{ network_item.ipam_driver | default(omit) }}"
-    ipv6: "{{ item.ipv6 | default(false) }}"
+    ipv6: "{{ network_item.ipv6 | bool | default(omit) }}"
-    macvlan: "{{ item.macvlan | default(omit) }}"
+    macvlan: "{{ network_item.macvlan | default(omit) }}"
-    net_config: "{{ item.net_config | default(omit) }}"
+    net_config: "{{ network_item.net_config | default(omit) }}"
-    route: "{{ item.route | default(omit) }}"
+    route: "{{ network_item.route | default(omit) }}"
-    recreate: "{{ item.recreate | default(false) }}"
+    recreate: "{{ network_item.recreate | bool | default(omit) }}"
+    quadlet_dir: "{{ network_item.quadlet_dir | default(omit) }}"
+    quadlet_filename: "{{ network_item.quadlet_filename | default(omit) }}"
+    quadlet_file_mode: "{{ network_item.quadlet_file_mode | default(omit) }}"
+    quadlet_options: "{{ network_item.quadlet_options | default(omit) }}"
   loop: "{{ podman_networks }}"
   loop_control:
     label: "{{ item.name }}"
+  register: podman_network_output
+  notify:
+    - Reload systemd

tasks/pods.yml

@@ -2,65 +2,70 @@
 # Manage Podman pods
 
 - name: Manage Podman pods
+  vars:
+    pod_item: "{{ podman_pod_defaults | default({}) | combine(item) }}"
   containers.podman.podman_pod:
-    name: "{{ item.name }}"
+    name: "{{ pod_item.name }}"
-    state: "{{ item.state | default('created') }}"
+    state: "{{ pod_item.state | default('created') }}"
-    publish: "{{ item.ports | default(omit) }}"
+    publish: "{{ pod_item.ports | default(omit) }}"
-    network: "{{ item.networks | default(omit) }}"
+    network: "{{ pod_item.networks | default(omit) }}"
-    volume: "{{ item.volumes | default(omit) }}"
+    volume: "{{ pod_item.volumes | default(omit) }}"
-    label: "{{ item.labels | default(omit) }}"
+    label: "{{ pod_item.labels | default(omit) }}"
-    hostname: "{{ item.hostname | default(omit) }}"
+    hostname: "{{ pod_item.hostname | default(omit) }}"
-    infra: "{{ item.infra | default(true) }}"
+    infra: "{{ pod_item.infra | default(omit) }}"
-    infra_image: "{{ item.infra_image | default(omit) }}"
+    infra_image: "{{ pod_item.infra_image | default(omit) }}"
-    infra_command: "{{ item.infra_command | default(omit) }}"
+    infra_command: "{{ pod_item.infra_command | default(omit) }}"
-    infra_name: "{{ item.infra_name | default(omit) }}"
+    infra_name: "{{ pod_item.infra_name | default(omit) }}"
-    add_host: "{{ item.add_host | default(omit) }}"
+    add_host: "{{ pod_item.add_host | default(omit) }}"
-    dns: "{{ item.dns | default(omit) }}"
+    dns: "{{ pod_item.dns | default(omit) }}"
-    dns_opt: "{{ item.dns_opt | default(omit) }}"
+    dns_opt: "{{ pod_item.dns_opt | default(omit) }}"
-    dns_search: "{{ item.dns_search | default(omit) }}"
+    dns_search: "{{ pod_item.dns_search | default(omit) }}"
-    ip: "{{ item.ip | default(omit) }}"
+    ip: "{{ pod_item.ip | default(omit) }}"
-    ip6: "{{ item.ip6 | default(omit) }}"
+    ip6: "{{ pod_item.ip6 | default(omit) }}"
-    mac_address: "{{ item.mac_address | default(omit) }}"
+    mac_address: "{{ pod_item.mac_address | default(omit) }}"
-    no_hosts: "{{ item.no_hosts | default(false) }}"
+    no_hosts: "{{ pod_item.no_hosts | default(omit) }}"
-    share: "{{ item.share | default(omit) }}"
+    share: "{{ pod_item.share | default(omit) }}"
-    share_parent: "{{ item.share_parent | default(omit) }}"
+    share_parent: "{{ pod_item.share_parent | default(omit) }}"
-    userns: "{{ item.userns | default(omit) }}"
+    userns: "{{ pod_item.userns | default(omit) }}"
-    uidmap: "{{ item.uidmap | default(omit) }}"
+    uidmap: "{{ pod_item.uidmap | default(omit) }}"
-    gidmap: "{{ item.gidmap | default(omit) }}"
+    gidmap: "{{ pod_item.gidmap | default(omit) }}"
-    subuidname: "{{ item.subuidname | default(omit) }}"
+    subuidname: "{{ pod_item.subuidname | default(omit) }}"
-    subgidname: "{{ item.subgidname | default(omit) }}"
+    subgidname: "{{ pod_item.subgidname | default(omit) }}"
-    security_opt: "{{ item.security_opt | default(omit) }}"
+    security_opt: "{{ pod_item.security_opt | default(omit) }}"
-    memory: "{{ item.memory | default(omit) }}"
+    memory: "{{ pod_item.memory | default(omit) }}"
-    memory_swap: "{{ item.memory_swap | default(omit) }}"
+    memory_swap: "{{ pod_item.memory_swap | default(omit) }}"
-    cpu_shares: "{{ item.cpu_shares | default(omit) }}"
+    cpu_shares: "{{ pod_item.cpu_shares | default(omit) }}"
-    cpus: "{{ item.cpus | default(omit) }}"
+    cpus: "{{ pod_item.cpus | default(omit) }}"
-    cpuset_cpus: "{{ item.cpuset_cpus | default(omit) }}"
+    cpuset_cpus: "{{ pod_item.cpuset_cpus | default(omit) }}"
-    cpuset_mems: "{{ item.cpuset_mems | default(omit) }}"
+    cpuset_mems: "{{ pod_item.cpuset_mems | default(omit) }}"
-    blkio_weight: "{{ item.blkio_weight | default(omit) }}"
+    blkio_weight: "{{ pod_item.blkio_weight | default(omit) }}"
-    blkio_weight_device: "{{ item.blkio_weight_device | default(omit) }}"
+    blkio_weight_device: "{{ pod_item.blkio_weight_device | default(omit) }}"
-    device: "{{ item.device | default(omit) }}"
+    device: "{{ pod_item.device | default(omit) }}"
-    device_read_bps: "{{ item.device_read_bps | default(omit) }}"
+    device_read_bps: "{{ pod_item.device_read_bps | default(omit) }}"
-    device_write_bps: "{{ item.device_write_bps | default(omit) }}"
+    device_write_bps: "{{ pod_item.device_write_bps | default(omit) }}"
-    shm_size: "{{ item.shm_size | default(omit) }}"
+    shm_size: "{{ pod_item.shm_size | default(omit) }}"
-    shm_size_systemd: "{{ item.shm_size_systemd | default(omit) }}"
+    shm_size_systemd: "{{ pod_item.shm_size_systemd | default(omit) }}"
-    sysctl: "{{ item.sysctl | default(omit) }}"
+    sysctl: "{{ pod_item.sysctl | default(omit) }}"
-    cgroup_parent: "{{ item.cgroup_parent | default(omit) }}"
+    cgroup_parent: "{{ pod_item.cgroup_parent | default(omit) }}"
-    pid: "{{ item.pid | default(omit) }}"
+    pid: "{{ pod_item.pid | default(omit) }}"
-    uts: "{{ item.uts | default(omit) }}"
+    uts: "{{ pod_item.uts | default(omit) }}"
-    network_alias: "{{ item.network_alias | default(omit) }}"
+    network_alias: "{{ pod_item.network_alias | default(omit) }}"
-    volumes_from: "{{ item.volumes_from | default(omit) }}"
+    volumes_from: "{{ pod_item.volumes_from | default(omit) }}"
-    exit_policy: "{{ item.exit_policy | default(omit) }}"
+    exit_policy: "{{ pod_item.exit_policy | default(omit) }}"
-    restart_policy: "{{ item.restart_policy | default(omit) }}"
+    restart_policy: "{{ pod_item.restart_policy | default(omit) }}"
-    pod_id_file: "{{ item.pod_id_file | default(omit) }}"
+    pod_id_file: "{{ pod_item.pod_id_file | default(omit) }}"
-    label_file: "{{ item.label_file | default(omit) }}"
+    label_file: "{{ pod_item.label_file | default(omit) }}"
-    gpus: "{{ item.gpus | default(omit) }}"
+    gpus: "{{ pod_item.gpus | default(omit) }}"
-    generate_systemd: "{{ item.generate_systemd | default(omit) }}"
+    generate_systemd: "{{ pod_item.generate_systemd | default(omit) }}"
-    quadlet_dir: "{{ item.quadlet_dir | default(omit) }}"
+    quadlet_dir: "{{ pod_item.quadlet_dir | default(omit) }}"
-    quadlet_filename: "{{ item.quadlet_filename | default(omit) }}"
+    quadlet_filename: "{{ pod_item.quadlet_filename | default(omit) }}"
-    quadlet_file_mode: "{{ item.quadlet_file_mode | default(omit) }}"
+    quadlet_file_mode: "{{ pod_item.quadlet_file_mode | default(omit) }}"
-    quadlet_options: "{{ item.quadlet_options | default(omit) }}"
+    quadlet_options: "{{ pod_item.quadlet_options | default(omit) }}"
-    recreate: "{{ item.recreate | default(false) }}"
+    recreate: "{{ pod_item.recreate | default(omit) }}"
-    debug: "{{ item.debug | default(false) }}"
+    debug: "{{ pod_item.debug | default(omit) }}"
   loop: "{{ podman_pods }}"
   loop_control:
     label: "{{ item.name }}"
+  register: podman_pod_output
+  notify:
+    - Reload systemd

tasks/services.yml

@@ -30,3 +30,18 @@
     enabled: false
     state: stopped
   when: not podman_enable_api_service
+
+- name: Enable and start Podman auto-update service
+  ansible.builtin.systemd:
+    name: podman-auto-update.service
+    enabled: true
+    state: started
+    daemon_reload: true
+  when: podman_enable_auto_update
+
+- name: Disable Podman auto-update service
+  ansible.builtin.systemd:
+    name: podman-auto-update.service
+    enabled: false
+    state: stopped
+  when: not podman_enable_auto_update

tasks/systemd.yml

@@ -2,49 +2,55 @@
 # Generate systemd service files for Podman containers and pods
 
 - name: Generate systemd service files for containers
+  vars:
+    systemd_opts: "{{ item.systemd if item.systemd is defined else (item.generate_systemd if item.generate_systemd is defined else {}) }}"
   containers.podman.podman_generate_systemd:
     name: "{{ item.name }}"
     dest: "{{ podman_systemd_dir }}"
     new: "{{ podman_systemd_options.new }}"
     force: "{{ podman_systemd_options.force }}"
-    restart_policy: "{{ item.systemd.restart_policy | default(podman_systemd_options.restart_policy) }}"
+    restart_policy: "{{ systemd_opts.restart_policy | default(podman_systemd_options.restart_policy) }}"
-    time: "{{ item.systemd.time | default(podman_systemd_options.time) }}"
+    stop_timeout: "{{ systemd_opts.stop_timeout | default(podman_systemd_options.stop_timeout) }}"
-    no_header: "{{ item.systemd.no_header | default(podman_systemd_options.no_header) }}"
+    no_header: "{{ systemd_opts.no_header | default(podman_systemd_options.no_header) }}"
-    separator: "{{ item.systemd.separator | default(podman_systemd_options.separator) }}"
+    separator: "{{ systemd_opts.separator | default(podman_systemd_options.separator) }}"
-    wants: "{{ item.systemd.wants | default(podman_systemd_options.wants) }}"
+    wants: "{{ systemd_opts.wants | default(podman_systemd_options.wants) }}"
-    after: "{{ item.systemd.after | default(podman_systemd_options.after) }}"
+    after: "{{ systemd_opts.after | default(podman_systemd_options.after) }}"
-    requires: "{{ item.systemd.requires | default(podman_systemd_options.requires) }}"
+    requires: "{{ systemd_opts.requires | default(podman_systemd_options.requires) }}"
-    container_prefix: "{{ item.systemd.container_prefix | default(podman_systemd_options.container_prefix) }}"
+    container_prefix: "{{ systemd_opts.container_prefix | default(podman_systemd_options.container_prefix) }}"
-    pod_prefix: "{{ item.systemd.pod_prefix | default(podman_systemd_options.pod_prefix) }}"
+    pod_prefix: "{{ systemd_opts.pod_prefix | default(podman_systemd_options.pod_prefix) }}"
-  loop: "{{ podman_containers | selectattr('systemd', 'defined') | list }}"
+  loop: "{{ podman_containers }}"
   loop_control:
     label: "{{ item.name }}"
   when:
     - podman_generate_systemd | bool
     - podman_containers is defined
     - podman_containers | length > 0
+    - (item.systemd is defined) or (item.generate_systemd is defined)
   notify: Reload systemd
 
 - name: Generate systemd service files for pods
+  vars:
+    systemd_opts: "{{ item.systemd if item.systemd is defined else (item.generate_systemd if item.generate_systemd is defined else {}) }}"
   containers.podman.podman_generate_systemd:
     name: "{{ item.name }}"
     dest: "{{ podman_systemd_dir }}"
     new: "{{ podman_systemd_options.new }}"
     force: "{{ podman_systemd_options.force }}"
-    restart_policy: "{{ item.systemd.restart_policy | default(podman_systemd_options.restart_policy) }}"
+    restart_policy: "{{ systemd_opts.restart_policy | default(podman_systemd_options.restart_policy) }}"
-    time: "{{ item.systemd.time | default(podman_systemd_options.time) }}"
+    stop_timeout: "{{ systemd_opts.stop_timeout | default(podman_systemd_options.stop_timeout) }}"
-    no_header: "{{ item.systemd.no_header | default(podman_systemd_options.no_header) }}"
+    no_header: "{{ systemd_opts.no_header | default(podman_systemd_options.no_header) }}"
-    separator: "{{ item.systemd.separator | default(podman_systemd_options.separator) }}"
+    separator: "{{ systemd_opts.separator | default(podman_systemd_options.separator) }}"
-    wants: "{{ item.systemd.wants | default(podman_systemd_options.wants) }}"
+    wants: "{{ systemd_opts.wants | default(podman_systemd_options.wants) }}"
-    after: "{{ item.systemd.after | default(podman_systemd_options.after) }}"
+    after: "{{ systemd_opts.after | default(podman_systemd_options.after) }}"
-    requires: "{{ item.systemd.requires | default(podman_systemd_options.requires) }}"
+    requires: "{{ systemd_opts.requires | default(podman_systemd_options.requires) }}"
-    container_prefix: "{{ item.systemd.container_prefix | default(podman_systemd_options.container_prefix) }}"
+    container_prefix: "{{ systemd_opts.container_prefix | default(podman_systemd_options.container_prefix) }}"
-    pod_prefix: "{{ item.systemd.pod_prefix | default(podman_systemd_options.pod_prefix) }}"
+    pod_prefix: "{{ systemd_opts.pod_prefix | default(podman_systemd_options.pod_prefix) }}"
-  loop: "{{ podman_pods | selectattr('systemd', 'defined') | list }}"
+  loop: "{{ podman_pods }}"
   loop_control:
     label: "{{ item.name }}"
   when:
     - podman_generate_systemd | bool
     - podman_pods is defined
     - podman_pods | length > 0
+    - (item.systemd is defined) or (item.generate_systemd is defined)
   notify: Reload systemd

tasks/volumes.yml

@@ -2,18 +2,23 @@
 # Manage Podman volumes
 
 - name: Manage Podman volumes
+  vars:
+    volume_item: "{{ podman_volume_defaults | default({}) | combine(item) }}"
   containers.podman.podman_volume:
-    name: "{{ item.name }}"
+    name: "{{ volume_item.name }}"
-    state: "{{ item.state | default('present') }}"
+    state: "{{ volume_item.state | default('present') }}"
-    driver: "{{ item.driver | default('local') }}"
+    driver: "{{ volume_item.driver | default('local') }}"
-    options: "{{ item.options | default(omit) }}"
+    options: "{{ volume_item.options | default(omit) }}"
-    label: "{{ item.labels | default(omit) }}"
+    label: "{{ volume_item.labels | default(omit) }}"
-    debug: "{{ item.debug | default(false) }}"
+    debug: "{{ volume_item.debug | bool | default(omit) }}"
-    recreate: "{{ item.recreate | default(false) }}"
+    recreate: "{{ volume_item.recreate | bool | default(omit) }}"
-    quadlet_dir: "{{ item.quadlet_dir | default(omit) }}"
+    quadlet_dir: "{{ volume_item.quadlet_dir | default(omit) }}"
-    quadlet_filename: "{{ item.quadlet_filename | default(omit) }}"
+    quadlet_filename: "{{ volume_item.quadlet_filename | default(omit) }}"
-    quadlet_file_mode: "{{ item.quadlet_file_mode | default(omit) }}"
+    quadlet_file_mode: "{{ volume_item.quadlet_file_mode | default(omit) }}"
-    quadlet_options: "{{ item.quadlet_options | default(omit) }}"
+    quadlet_options: "{{ volume_item.quadlet_options | default(omit) }}"
   loop: "{{ podman_volumes }}"
   loop_control:
     label: "{{ item.name }}"
+  register: podman_volume_output
+  notify:
+    - Reload systemd

vars/Debian.yml

@@ -1,14 +0,0 @@
----
-# OS-specific variables for Debian/Ubuntu
-
-# Package names may vary between distributions
-podman_packages:
-  - podman
-  - buildah
-  - skopeo
-
-podman_additional_packages:
-  - crun
-  - fuse-overlayfs
-  - slirp4netns
-  - uidmap