daniel/ansible-podman
1
0
Fork 0
Code Pull Requests Activity
Files
714574fd7d5a057ad5c9efd6647f860de1dfdac6
ansible-podman/defaults/main.yml
Daniel Akulenok 714574fd7d Update functionality
2025-09-05 23:12:42 +02:00

642 lines
16 KiB
YAML
Raw Blame History

---
# defaults file for podman
# Package installation
podman_install_from_repo: true
podman_packages:
- podman
- crun
# Podman configuration
podman_configure_registries: true
podman_registries_conf_path: /etc/containers/registries.conf
# Additional registries not included in policy configuration
# Use this for registries that need special mirror or proxy configuration
podman_registries_additional: []
# Example:
# podman_registries_additional:
# - location: "internal-mirror.company.com"
# insecure: false
# blocked: false
# mirror:
# - location: "docker.io"
# insecure: false
# Storage configuration
podman_configure_storage: true
podman_storage_conf_path: /etc/containers/storage.conf
podman_storage_driver: overlay
podman_storage_runroot: /run/containers/storage
podman_storage_graphroot: /var/lib/containers/storage
# Policy configuration
podman_configure_policy: true
podman_policy_path: /etc/containers/policy.json
# Image signature policy settings
# Default policy type: "insecureAcceptAnything" for development, "reject" for production
podman_policy_default_type: "insecureAcceptAnything"
# Whether to reject images from unknown/unlisted registries
podman_policy_reject_unknown_registries: false
# Trusted registries configuration
# Each registry can have different trust levels and signature requirements
# Plus registries.conf configuration options
podman_policy_trusted_registries:
# Docker Hub official images (library namespace)
- registry: "docker.io/library"
type: "insecureAcceptAnything"
# Registry configuration
insecure: false
blocked: false
unqualified_search: false # Don't search library namespace for unqualified images
# Docker Hub (all namespaces) - use with caution in production
- registry: "docker.io"
type: "insecureAcceptAnything"
# Registry configuration
insecure: false
blocked: false
unqualified_search: true # Primary search registry
# Red Hat's official registry
- registry: "registry.redhat.io"
type: "insecureAcceptAnything"
# For production with signature verification:
# type: "signedBy"
# keyPath: "/etc/pki/containers/redhat.gpg"
# Registry configuration
insecure: false
blocked: false
unqualified_search: true
# Quay.io - Red Hat's container registry
- registry: "quay.io"
type: "insecureAcceptAnything"
# Registry configuration
insecure: false
blocked: false
unqualified_search: true
# Google Container Registry
- registry: "gcr.io"
type: "insecureAcceptAnything"
# Registry configuration
insecure: false
blocked: false
unqualified_search: true
# Microsoft Container Registry
- registry: "mcr.microsoft.com"
type: "insecureAcceptAnything"
# Registry configuration
insecure: false
blocked: false
unqualified_search: true
# Amazon ECR Public
- registry: "public.ecr.aws"
type: "insecureAcceptAnything"
# Registry configuration
insecure: false
blocked: false
unqualified_search: false # Not commonly used for unqualified searches
# GitHub Container Registry
- registry: "ghcr.io"
type: "insecureAcceptAnything"
# Registry configuration
insecure: false
blocked: false
unqualified_search: false # Not commonly used for unqualified searches
# GitLab Container Registry
- registry: "registry.gitlab.com"
type: "insecureAcceptAnything"
# Registry configuration
insecure: false
blocked: false
unqualified_search: false # Not commonly used for unqualified searches
# Example production configuration with signature verification:
# podman_policy_default_type: "reject"
# podman_policy_reject_unknown_registries: true
# podman_policy_trusted_registries:
# # Internal company registry with signature verification
# - registry: "internal-registry.company.com"
# type: "signedBy"
# keyPath: "/etc/pki/containers/company.gpg"
# # Registry configuration
# insecure: false
# blocked: false
# unqualified_search: true
# # Optional: mirror configuration
# mirror:
# - location: "backup-registry.company.com"
# insecure: false
#
# # Red Hat registry with signature verification
# - registry: "registry.redhat.io"
# type: "signedBy"
# keyPath: "/etc/pki/containers/redhat.gpg"
# # Registry configuration
# insecure: false
# blocked: false
# unqualified_search: true
#
# # Docker Hub official images only (more restrictive)
# - registry: "docker.io/library"
# type: "insecureAcceptAnything"
# # Registry configuration
# insecure: false
# blocked: false
# unqualified_search: false
#
# # Specific trusted namespaces
# - registry: "quay.io/company"
# type: "signedBy"
# keyPath: "/etc/pki/containers/company.gpg"
# # Registry configuration
# insecure: false
# blocked: false
# unqualified_search: false
# Service management
podman_enable_socket: false
podman_enable_api_service: false
# Container management
podman_containers: []
# Example container configurations:
# podman_containers:
# # Basic web server container
# - name: nginx
# image: docker.io/nginx:latest
# state: started
# ports:
# - "8080:80"
# volumes:
# - "/etc/nginx/conf.d:/etc/nginx/conf.d:ro"
# env:
# NGINX_HOST: example.com
# restart_policy: always
# user: nginx
# networks:
# - podman
# labels:
# app: webserver
# version: "1.0"
# working_dir: /app
#
# # Advanced container with comprehensive configuration
# - name: app-server
# image: registry.example.com/myapp:v1.2.3
# state: started
# # Basic runtime options
# command: ["/app/start.sh", "--config", "/etc/app/config.yaml"]
# entrypoint: "/entrypoint.sh"
# user: "1000:1000"
# working_dir: /app
# hostname: app-server
# detach: true
# interactive: false
# tty: false
# auto_remove: false
# privileged: false
# read_only: false
# read_only_tmpfs: true
# init: true
#
# # Networking configuration
# networks:
# - frontend
# - backend
# ports:
# - "8080:8080"
# - "127.0.0.1:8081:8081/tcp"
# publish_all: false
# expose:
# - "9000"
# ip: "10.88.0.100"
# mac_address: "02:42:ac:11:00:02"
# network_aliases:
# - app
# - api
# dns:
# - "8.8.8.8"
# - "1.1.1.1"
# dns_options: "ndots:2"
# dns_search:
# - "example.com"
# - "local"
# add_hosts:
# database: "192.168.1.100"
# cache: "192.168.1.101"
# no_hosts: false
#
# # Storage and volumes
# volumes:
# - "/data/app:/app/data:rw"
# - "app-config:/etc/app:ro"
# volumes_from:
# - data-container
# mounts:
# - "type=bind,source=/host/path,destination=/container/path,ro"
# tmpfs:
# /tmp: "rw,size=100m,mode=1777"
# /var/cache: "rw,size=50m"
#
# # Environment variables
# env:
# DATABASE_URL: "postgresql://user:pass@db:5432/myapp"
# REDIS_URL: "redis://cache:6379/0"
# LOG_LEVEL: "info"
# FEATURE_FLAGS: "new_ui,api_v2"
# env_files:
# - "/etc/app/.env"
# env_host: false
# env_merge:
# PATH: "/app/bin:$PATH"
# unsetenv:
# - "TEMP_VAR"
#
# # Resource constraints
# memory: "2g"
# memory_reservation: "1g"
# memory_swap: "4g"
# memory_swappiness: 60
# cpus: "1.5"
# cpu_shares: 1024
# cpu_period: 100000
# cpu_quota: 150000
# cpuset_cpus: "0-1"
# cpuset_mems: "0"
# blkio_weight: 500
# blkio_weight_device:
# "/dev/sda": 600
# oom_kill_disable: false
# oom_score_adj: 500
# pids_limit: "1000"
#
# # Device access
# devices:
# - "/dev/nvidia0:/dev/nvidia0:rwm"
# - "/dev/sda:/dev/xvda:ro"
# device_read_bps:
# - "/dev/sda:1mb"
# device_write_bps:
# - "/dev/sda:1mb"
# device_read_iops:
# - "/dev/sda:1000"
# device_write_iops:
# - "/dev/sda:1000"
# gpus: "all"
#
# # Security configuration
# security_opt:
# - "seccomp=unconfined"
# - "label=type:container_runtime_t"
# cap_add:
# - "NET_ADMIN"
# - "SYS_TIME"
# cap_drop:
# - "MKNOD"
# - "AUDIT_WRITE"
# userns: "host"
# uidmap:
# - "0:1000:1000"
# gidmap:
# - "0:1000:1000"
# subuidname: "myuser"
# subgidname: "myuser"
# groups:
# - "docker"
# - "audio"
#
# # Namespaces
# ipc_mode: "container:other-container"
# pid_mode: "host"
# uts: "host"
# cgroupns: "host"
#
# # Cgroups
# cgroups: "enabled"
# cgroup_parent: "/system.slice"
# cgroup_conf:
# "memory.swappiness": "10"
#
# # System configuration
# sysctl:
# net.core.somaxconn: "1024"
# kernel.shm_rmid_forced: "1"
# systemd: "true"
# ulimits:
# - "nofile=65536:65536"
# - "nproc=4096:4096"
# umask: "0027"
#
# # Shared memory
# shm_size: "128m"
# shm_size_systemd: "64m"
#
# # Pod integration
# pod: "app-pod"
#
# # Logging
# log_driver: "journald"
# log_options:
# max_size: "10mb"
# max_files: "3"
# tag: "app-server"
# log_level: "info"
#
# # Health checks
# healthcheck: "curl -f http://localhost:8080/health || exit 1"
# healthcheck_interval: "30s"
# healthcheck_timeout: "10s"
# healthcheck_start_period: "60s"
# healthcheck_retries: 3
# healthcheck_failure_action: "restart"
# no_healthcheck: false
#
# # Startup health checks
# health_startup_cmd: "curl -f http://localhost:8080/ready || exit 1"
# health_startup_interval: "5s"
# health_startup_timeout: "3s"
# health_startup_retries: 20
# health_startup_success: 1
#
# # Metadata
# labels:
# app: "myapp"
# version: "1.2.3"
# environment: "production"
# maintainer: "team@example.com"
# annotations:
# "org.opencontainers.image.source": "https://github.com/example/myapp"
#
# # Container lifecycle
# restart_policy: "on-failure:3"
# restart_time: "10s"
# stop_signal: 15
# stop_time: "30s"
# stop_timeout: 30
# timeout: 0
#
# # Image options
# pull: "missing"
# image_strict: false
# arch: "amd64"
# platform: "linux/amd64"
#
# # Advanced options
# timezone: "UTC"
# requires:
# - "database-container"
#
# # Systemd integration
# generate_systemd:
# path: "/etc/systemd/system"
# restart_policy: "always"
# stop_timeout: 120
# names: true
# container_prefix: "container"
# new: false
# no_header: false
# wants:
# - "network-online.target"
# after:
# - "network-online.target"
# requires:
# - "postgresql.service"
#
# # Control options
# recreate: false
# force_restart: false
# debug: false
#
# # Database container with quadlet
# - name: postgres
# image: docker.io/postgres:15
# state: quadlet
# env:
# POSTGRES_DB: myapp
# POSTGRES_USER: appuser
# POSTGRES_PASSWORD: secretpass
# volumes:
# - "postgres-data:/var/lib/postgresql/data"
# ports:
# - "5432:5432"
# networks:
# - backend
# memory: "4g"
# cpu_shares: 2048
# healthcheck: "pg_isready -U appuser -d myapp"
# healthcheck_interval: "10s"
# healthcheck_timeout: "5s"
# healthcheck_retries: 5
# quadlet_dir: "/etc/containers/systemd"
# quadlet_filename: "postgres-db"
# quadlet_file_mode: "0640"
# quadlet_options:
# - "AutoUpdate=registry"
# - "Pull=newer"
# - |
# [Install]
# WantedBy=default.target
#
# # Privileged system container
# - name: monitoring-agent
# image: quay.io/prometheus/node-exporter:latest
# state: started
# privileged: true
# read_only: true
# pid_mode: "host"
# networks:
# - host
# volumes:
# - "/proc:/host/proc:ro"
# - "/sys:/host/sys:ro"
# - "/:/rootfs:ro"
# command:
# - "--path.procfs=/host/proc"
# - "--path.sysfs=/host/sys"
# - "--collector.filesystem.ignored-mount-points"
# ports:
# - "9100:9100"
# restart_policy: "always"
# user: "nobody"
# cap_drop:
# - "ALL"
# security_opt:
# - "no-new-privileges=true"
# Network management
podman_networks: []
# Example network configuration:
# podman_networks:
# - name: app-network
# driver: bridge
# subnet: "10.89.0.0/24"
# gateway: "10.89.0.1"
# state: present
# - name: frontend-network
# driver: bridge
# subnet: "172.20.0.0/16"
# gateway: "172.20.0.1"
# internal: true
# disable_dns: false
# dns:
# - "8.8.8.8"
# - "8.8.4.4"
# options:
# mtu: 1500
# vlan: 100
# - name: macvlan-network
# driver: macvlan
# macvlan: "eth0"
# subnet: "192.168.1.0/24"
# gateway: "192.168.1.1"
# ipam_driver: "host-local"
# - name: ipv6-network
# driver: bridge
# subnet: "fd00::/64"
# gateway: "fd00::1"
# ipv6: true
# route:
# - "10.10.0.0/16,192.168.1.1"
# Volume management
podman_volumes: []
# Example volume configuration:
# podman_volumes:
# - name: app-data
# state: present
# driver: local
# - name: database-volume
# state: present
# driver: local
# labels:
# environment: production
# backup: daily
# options:
# - "device=/dev/sdb1"
# - "type=ext4"
# - "o=rw"
# - name: tmpfs-volume
# state: present
# driver: tmpfs
# options:
# - "tmpfs-size=100m"
# - "tmpfs-mode=1777"
# - name: quadlet-volume
# state: quadlet
# driver: local
# quadlet_filename: "custom-volume"
# quadlet_file_mode: "0640"
# quadlet_options:
# - "Group=192"
# - "Copy=true"
# recreate: false
# debug: false
# Pod management
podman_pods: []
# Example pod configuration:
# podman_pods:
# - name: webapp-pod
# state: started
# ports:
# - "8080:80"
# - "3306:3306"
# networks:
# - frontend
# hostname: webapp
# dns:
# - "8.8.8.8"
# - "8.8.4.4"
# labels:
# app: webapp
# tier: frontend
# volumes:
# - "webapp-data:/data"
# infra: true
# infra_image: "k8s.gcr.io/pause:3.1"
# - name: database-pod
# state: created
# networks:
# - backend
# security_opt:
# - "seccomp=unconfined"
# memory: "2g"
# cpu_shares: "1024"
# add_host:
# - "database.local:127.0.0.1"
# share: "net,ipc"
# userns: "auto"
# - name: monitoring-pod
# state: started
# ports:
# - "9090:9090"
# device:
# - "/dev/sda:/dev/xvda:rwm"
# sysctl:
# net.core.somaxconn: "1024"
# shm_size: "128m"
# exit_policy: "stop"
# - name: quadlet-pod
# state: quadlet
# ports:
# - "4444:5555"
# volumes:
# - "/var/run/docker.sock:/var/run/docker.sock"
# quadlet_dir: "/etc/containers/systemd"
# quadlet_filename: "custom-pod"
# quadlet_file_mode: "0640"
# quadlet_options:
# - "AutoUpdate=registry"
# - "Pull=newer"
# generate_systemd:
# path: "/etc/systemd/system"
# restart_policy: "always"
# stop_timeout: 120
# names: true
# container_prefix: "container"
# new: false
# no_header: false
# wants:
# - "network-online.target"
# after:
# - "network-online.target"
# requires:
# - "postgresql.service"
# Systemd service generation configuration
podman_generate_systemd: true
podman_systemd_dir: /etc/systemd/system
podman_systemd_options:
new: true
force: true
restart_policy: unless-stopped
time: 120
no_header: false
separator: ""
wants: []
after: []
requires: []
container_prefix: ""
pod_prefix: ""
restart_sec: 30
### Prune Configuration
podman_prune_enabled: true
podman_prune_options:
container: true # Remove stopped containers
image: true # Remove unused images
network: true # Remove unused networks
system: true # Prune all unused data
system_all: true # Prune all unused data including build cache
volume: true # Remove unused volumes
View Git Blame Copy Permalink