--- # defaults file for podman # Package installation podman_install_from_repo: true podman_packages: - podman - crun # Podman configuration podman_configure_registries: true podman_registries_conf_path: /etc/containers/registries.conf # Additional registries not included in policy configuration # Use this for registries that need special mirror or proxy configuration podman_registries_additional: [] # Example: # podman_registries_additional: # - location: "internal-mirror.company.com" # insecure: false # blocked: false # mirror: # - location: "docker.io" # insecure: false # Storage configuration podman_configure_storage: true podman_storage_conf_path: /etc/containers/storage.conf podman_storage_driver: overlay podman_storage_runroot: /run/containers/storage podman_storage_graphroot: /var/lib/containers/storage # Policy configuration podman_configure_policy: true podman_policy_path: /etc/containers/policy.json # Image signature policy settings # Default policy type: "insecureAcceptAnything" for development, "reject" for production podman_policy_default_type: "insecureAcceptAnything" # Whether to reject images from unknown/unlisted registries podman_policy_reject_unknown_registries: false # Trusted registries configuration # Each registry can have different trust levels and signature requirements # Plus registries.conf configuration options podman_policy_trusted_registries: # Docker Hub official images (library namespace) - registry: "docker.io/library" type: "insecureAcceptAnything" # Registry configuration insecure: false blocked: false unqualified_search: false # Don't search library namespace for unqualified images # Docker Hub (all namespaces) - use with caution in production - registry: "docker.io" type: "insecureAcceptAnything" # Registry configuration insecure: false blocked: false unqualified_search: true # Primary search registry # Red Hat's official registry - registry: "registry.redhat.io" type: "insecureAcceptAnything" # For production with signature verification: # type: "signedBy" # keyPath: "/etc/pki/containers/redhat.gpg" # Registry configuration insecure: false blocked: false unqualified_search: true # Quay.io - Red Hat's container registry - registry: "quay.io" type: "insecureAcceptAnything" # Registry configuration insecure: false blocked: false unqualified_search: true # Google Container Registry - registry: "gcr.io" type: "insecureAcceptAnything" # Registry configuration insecure: false blocked: false unqualified_search: true # Microsoft Container Registry - registry: "mcr.microsoft.com" type: "insecureAcceptAnything" # Registry configuration insecure: false blocked: false unqualified_search: true # Amazon ECR Public - registry: "public.ecr.aws" type: "insecureAcceptAnything" # Registry configuration insecure: false blocked: false unqualified_search: false # Not commonly used for unqualified searches # GitHub Container Registry - registry: "ghcr.io" type: "insecureAcceptAnything" # Registry configuration insecure: false blocked: false unqualified_search: false # Not commonly used for unqualified searches # GitLab Container Registry - registry: "registry.gitlab.com" type: "insecureAcceptAnything" # Registry configuration insecure: false blocked: false unqualified_search: false # Not commonly used for unqualified searches # Example production configuration with signature verification: # podman_policy_default_type: "reject" # podman_policy_reject_unknown_registries: true # podman_policy_trusted_registries: # # Internal company registry with signature verification # - registry: "internal-registry.company.com" # type: "signedBy" # keyPath: "/etc/pki/containers/company.gpg" # # Registry configuration # insecure: false # blocked: false # unqualified_search: true # # Optional: mirror configuration # mirror: # - location: "backup-registry.company.com" # insecure: false # # # Red Hat registry with signature verification # - registry: "registry.redhat.io" # type: "signedBy" # keyPath: "/etc/pki/containers/redhat.gpg" # # Registry configuration # insecure: false # blocked: false # unqualified_search: true # # # Docker Hub official images only (more restrictive) # - registry: "docker.io/library" # type: "insecureAcceptAnything" # # Registry configuration # insecure: false # blocked: false # unqualified_search: false # # # Specific trusted namespaces # - registry: "quay.io/company" # type: "signedBy" # keyPath: "/etc/pki/containers/company.gpg" # # Registry configuration # insecure: false # blocked: false # unqualified_search: false # Service management podman_enable_socket: false podman_enable_api_service: false # Container management podman_containers: [] # Example container configurations: # podman_containers: # # Basic web server container # - name: nginx # image: docker.io/nginx:latest # state: started # ports: # - "8080:80" # volumes: # - "/etc/nginx/conf.d:/etc/nginx/conf.d:ro" # env: # NGINX_HOST: example.com # restart_policy: always # user: nginx # networks: # - podman # labels: # app: webserver # version: "1.0" # working_dir: /app # # # Advanced container with comprehensive configuration # - name: app-server # image: registry.example.com/myapp:v1.2.3 # state: started # # Basic runtime options # command: ["/app/start.sh", "--config", "/etc/app/config.yaml"] # entrypoint: "/entrypoint.sh" # user: "1000:1000" # working_dir: /app # hostname: app-server # detach: true # interactive: false # tty: false # auto_remove: false # privileged: false # read_only: false # read_only_tmpfs: true # init: true # # # Networking configuration # networks: # - frontend # - backend # ports: # - "8080:8080" # - "127.0.0.1:8081:8081/tcp" # publish_all: false # expose: # - "9000" # ip: "10.88.0.100" # mac_address: "02:42:ac:11:00:02" # network_aliases: # - app # - api # dns: # - "8.8.8.8" # - "1.1.1.1" # dns_options: "ndots:2" # dns_search: # - "example.com" # - "local" # add_hosts: # database: "192.168.1.100" # cache: "192.168.1.101" # no_hosts: false # # # Storage and volumes # volumes: # - "/data/app:/app/data:rw" # - "app-config:/etc/app:ro" # volumes_from: # - data-container # mounts: # - "type=bind,source=/host/path,destination=/container/path,ro" # tmpfs: # /tmp: "rw,size=100m,mode=1777" # /var/cache: "rw,size=50m" # # # Environment variables # env: # DATABASE_URL: "postgresql://user:pass@db:5432/myapp" # REDIS_URL: "redis://cache:6379/0" # LOG_LEVEL: "info" # FEATURE_FLAGS: "new_ui,api_v2" # env_files: # - "/etc/app/.env" # env_host: false # env_merge: # PATH: "/app/bin:$PATH" # unsetenv: # - "TEMP_VAR" # # # Resource constraints # memory: "2g" # memory_reservation: "1g" # memory_swap: "4g" # memory_swappiness: 60 # cpus: "1.5" # cpu_shares: 1024 # cpu_period: 100000 # cpu_quota: 150000 # cpuset_cpus: "0-1" # cpuset_mems: "0" # blkio_weight: 500 # blkio_weight_device: # "/dev/sda": 600 # oom_kill_disable: false # oom_score_adj: 500 # pids_limit: "1000" # # # Device access # devices: # - "/dev/nvidia0:/dev/nvidia0:rwm" # - "/dev/sda:/dev/xvda:ro" # device_read_bps: # - "/dev/sda:1mb" # device_write_bps: # - "/dev/sda:1mb" # device_read_iops: # - "/dev/sda:1000" # device_write_iops: # - "/dev/sda:1000" # gpus: "all" # # # Security configuration # security_opt: # - "seccomp=unconfined" # - "label=type:container_runtime_t" # cap_add: # - "NET_ADMIN" # - "SYS_TIME" # cap_drop: # - "MKNOD" # - "AUDIT_WRITE" # userns: "host" # uidmap: # - "0:1000:1000" # gidmap: # - "0:1000:1000" # subuidname: "myuser" # subgidname: "myuser" # groups: # - "docker" # - "audio" # # # Namespaces # ipc_mode: "container:other-container" # pid_mode: "host" # uts: "host" # cgroupns: "host" # # # Cgroups # cgroups: "enabled" # cgroup_parent: "/system.slice" # cgroup_conf: # "memory.swappiness": "10" # # # System configuration # sysctl: # net.core.somaxconn: "1024" # kernel.shm_rmid_forced: "1" # systemd: "true" # ulimits: # - "nofile=65536:65536" # - "nproc=4096:4096" # umask: "0027" # # # Shared memory # shm_size: "128m" # shm_size_systemd: "64m" # # # Pod integration # pod: "app-pod" # # # Logging # log_driver: "journald" # log_options: # max_size: "10mb" # max_files: "3" # tag: "app-server" # log_level: "info" # # # Health checks # healthcheck: "curl -f http://localhost:8080/health || exit 1" # healthcheck_interval: "30s" # healthcheck_timeout: "10s" # healthcheck_start_period: "60s" # healthcheck_retries: 3 # healthcheck_failure_action: "restart" # no_healthcheck: false # # # Startup health checks # health_startup_cmd: "curl -f http://localhost:8080/ready || exit 1" # health_startup_interval: "5s" # health_startup_timeout: "3s" # health_startup_retries: 20 # health_startup_success: 1 # # # Metadata # labels: # app: "myapp" # version: "1.2.3" # environment: "production" # maintainer: "team@example.com" # annotations: # "org.opencontainers.image.source": "https://github.com/example/myapp" # # # Container lifecycle # restart_policy: "on-failure:3" # restart_time: "10s" # stop_signal: 15 # stop_time: "30s" # stop_timeout: 30 # timeout: 0 # # # Image options # pull: "missing" # image_strict: false # arch: "amd64" # platform: "linux/amd64" # # # Advanced options # timezone: "UTC" # requires: # - "database-container" # # # Systemd integration # generate_systemd: # path: "/etc/systemd/system" # restart_policy: "always" # stop_timeout: 120 # names: true # container_prefix: "container" # new: false # no_header: false # wants: # - "network-online.target" # after: # - "network-online.target" # requires: # - "postgresql.service" # # # Control options # recreate: false # force_restart: false # debug: false # # # Database container with quadlet # - name: postgres # image: docker.io/postgres:15 # state: quadlet # env: # POSTGRES_DB: myapp # POSTGRES_USER: appuser # POSTGRES_PASSWORD: secretpass # volumes: # - "postgres-data:/var/lib/postgresql/data" # ports: # - "5432:5432" # networks: # - backend # memory: "4g" # cpu_shares: 2048 # healthcheck: "pg_isready -U appuser -d myapp" # healthcheck_interval: "10s" # healthcheck_timeout: "5s" # healthcheck_retries: 5 # quadlet_dir: "/etc/containers/systemd" # quadlet_filename: "postgres-db" # quadlet_file_mode: "0640" # quadlet_options: # - "AutoUpdate=registry" # - "Pull=newer" # - | # [Install] # WantedBy=default.target # # # Privileged system container # - name: monitoring-agent # image: quay.io/prometheus/node-exporter:latest # state: started # privileged: true # read_only: true # pid_mode: "host" # networks: # - host # volumes: # - "/proc:/host/proc:ro" # - "/sys:/host/sys:ro" # - "/:/rootfs:ro" # command: # - "--path.procfs=/host/proc" # - "--path.sysfs=/host/sys" # - "--collector.filesystem.ignored-mount-points" # ports: # - "9100:9100" # restart_policy: "always" # user: "nobody" # cap_drop: # - "ALL" # security_opt: # - "no-new-privileges=true" # Network management podman_networks: [] # Example network configuration: # podman_networks: # - name: app-network # driver: bridge # subnet: "10.89.0.0/24" # gateway: "10.89.0.1" # state: present # - name: frontend-network # driver: bridge # subnet: "172.20.0.0/16" # gateway: "172.20.0.1" # internal: true # disable_dns: false # dns: # - "8.8.8.8" # - "8.8.4.4" # options: # mtu: 1500 # vlan: 100 # - name: macvlan-network # driver: macvlan # macvlan: "eth0" # subnet: "192.168.1.0/24" # gateway: "192.168.1.1" # ipam_driver: "host-local" # - name: ipv6-network # driver: bridge # subnet: "fd00::/64" # gateway: "fd00::1" # ipv6: true # route: # - "10.10.0.0/16,192.168.1.1" # Volume management podman_volumes: [] # Example volume configuration: # podman_volumes: # - name: app-data # state: present # driver: local # - name: database-volume # state: present # driver: local # labels: # environment: production # backup: daily # options: # - "device=/dev/sdb1" # - "type=ext4" # - "o=rw" # - name: tmpfs-volume # state: present # driver: tmpfs # options: # - "tmpfs-size=100m" # - "tmpfs-mode=1777" # - name: quadlet-volume # state: quadlet # driver: local # quadlet_filename: "custom-volume" # quadlet_file_mode: "0640" # quadlet_options: # - "Group=192" # - "Copy=true" # recreate: false # debug: false # Pod management podman_pods: [] # Example pod configuration: # podman_pods: # - name: webapp-pod # state: started # ports: # - "8080:80" # - "3306:3306" # networks: # - frontend # hostname: webapp # dns: # - "8.8.8.8" # - "8.8.4.4" # labels: # app: webapp # tier: frontend # volumes: # - "webapp-data:/data" # infra: true # infra_image: "k8s.gcr.io/pause:3.1" # - name: database-pod # state: created # networks: # - backend # security_opt: # - "seccomp=unconfined" # memory: "2g" # cpu_shares: "1024" # add_host: # - "database.local:127.0.0.1" # share: "net,ipc" # userns: "auto" # - name: monitoring-pod # state: started # ports: # - "9090:9090" # device: # - "/dev/sda:/dev/xvda:rwm" # sysctl: # net.core.somaxconn: "1024" # shm_size: "128m" # exit_policy: "stop" # - name: quadlet-pod # state: quadlet # ports: # - "4444:5555" # volumes: # - "/var/run/docker.sock:/var/run/docker.sock" # quadlet_dir: "/etc/containers/systemd" # quadlet_filename: "custom-pod" # quadlet_file_mode: "0640" # quadlet_options: # - "AutoUpdate=registry" # - "Pull=newer" # generate_systemd: # path: "/etc/systemd/system" # restart_policy: "always"