604 lines
15 KiB
YAML
604 lines
15 KiB
YAML
---
|
|
# defaults file for podman
|
|
|
|
# Package installation
|
|
podman_install_from_repo: true
|
|
podman_packages:
|
|
- podman
|
|
- crun
|
|
|
|
# Podman configuration
|
|
podman_configure_registries: true
|
|
podman_registries_conf_path: /etc/containers/registries.conf
|
|
|
|
# Additional registries not included in policy configuration
|
|
# Use this for registries that need special mirror or proxy configuration
|
|
podman_registries_additional: []
|
|
# Example:
|
|
# podman_registries_additional:
|
|
# - location: "internal-mirror.company.com"
|
|
# insecure: false
|
|
# blocked: false
|
|
# mirror:
|
|
# - location: "docker.io"
|
|
# insecure: false
|
|
|
|
# Storage configuration
|
|
podman_configure_storage: true
|
|
podman_storage_conf_path: /etc/containers/storage.conf
|
|
podman_storage_driver: overlay
|
|
podman_storage_runroot: /run/containers/storage
|
|
podman_storage_graphroot: /var/lib/containers/storage
|
|
|
|
# Policy configuration
|
|
podman_configure_policy: true
|
|
podman_policy_path: /etc/containers/policy.json
|
|
|
|
# Image signature policy settings
|
|
# Default policy type: "insecureAcceptAnything" for development, "reject" for production
|
|
podman_policy_default_type: "insecureAcceptAnything"
|
|
|
|
# Whether to reject images from unknown/unlisted registries
|
|
podman_policy_reject_unknown_registries: false
|
|
|
|
# Trusted registries configuration
|
|
# Each registry can have different trust levels and signature requirements
|
|
# Plus registries.conf configuration options
|
|
podman_policy_trusted_registries:
|
|
# Docker Hub official images (library namespace)
|
|
- registry: "docker.io/library"
|
|
type: "insecureAcceptAnything"
|
|
# Registry configuration
|
|
insecure: false
|
|
blocked: false
|
|
unqualified_search: false # Don't search library namespace for unqualified images
|
|
|
|
# Docker Hub (all namespaces) - use with caution in production
|
|
- registry: "docker.io"
|
|
type: "insecureAcceptAnything"
|
|
# Registry configuration
|
|
insecure: false
|
|
blocked: false
|
|
unqualified_search: true # Primary search registry
|
|
|
|
# Red Hat's official registry
|
|
- registry: "registry.redhat.io"
|
|
type: "insecureAcceptAnything"
|
|
# For production with signature verification:
|
|
# type: "signedBy"
|
|
# keyPath: "/etc/pki/containers/redhat.gpg"
|
|
# Registry configuration
|
|
insecure: false
|
|
blocked: false
|
|
unqualified_search: true
|
|
|
|
# Quay.io - Red Hat's container registry
|
|
- registry: "quay.io"
|
|
type: "insecureAcceptAnything"
|
|
# Registry configuration
|
|
insecure: false
|
|
blocked: false
|
|
unqualified_search: true
|
|
|
|
# Google Container Registry
|
|
- registry: "gcr.io"
|
|
type: "insecureAcceptAnything"
|
|
# Registry configuration
|
|
insecure: false
|
|
blocked: false
|
|
unqualified_search: true
|
|
|
|
# Microsoft Container Registry
|
|
- registry: "mcr.microsoft.com"
|
|
type: "insecureAcceptAnything"
|
|
# Registry configuration
|
|
insecure: false
|
|
blocked: false
|
|
unqualified_search: true
|
|
|
|
# Amazon ECR Public
|
|
- registry: "public.ecr.aws"
|
|
type: "insecureAcceptAnything"
|
|
# Registry configuration
|
|
insecure: false
|
|
blocked: false
|
|
unqualified_search: false # Not commonly used for unqualified searches
|
|
|
|
# GitHub Container Registry
|
|
- registry: "ghcr.io"
|
|
type: "insecureAcceptAnything"
|
|
# Registry configuration
|
|
insecure: false
|
|
blocked: false
|
|
unqualified_search: false # Not commonly used for unqualified searches
|
|
|
|
# GitLab Container Registry
|
|
- registry: "registry.gitlab.com"
|
|
type: "insecureAcceptAnything"
|
|
# Registry configuration
|
|
insecure: false
|
|
blocked: false
|
|
unqualified_search: false # Not commonly used for unqualified searches
|
|
|
|
# Example production configuration with signature verification:
|
|
# podman_policy_default_type: "reject"
|
|
# podman_policy_reject_unknown_registries: true
|
|
# podman_policy_trusted_registries:
|
|
# # Internal company registry with signature verification
|
|
# - registry: "internal-registry.company.com"
|
|
# type: "signedBy"
|
|
# keyPath: "/etc/pki/containers/company.gpg"
|
|
# # Registry configuration
|
|
# insecure: false
|
|
# blocked: false
|
|
# unqualified_search: true
|
|
# # Optional: mirror configuration
|
|
# mirror:
|
|
# - location: "backup-registry.company.com"
|
|
# insecure: false
|
|
#
|
|
# # Red Hat registry with signature verification
|
|
# - registry: "registry.redhat.io"
|
|
# type: "signedBy"
|
|
# keyPath: "/etc/pki/containers/redhat.gpg"
|
|
# # Registry configuration
|
|
# insecure: false
|
|
# blocked: false
|
|
# unqualified_search: true
|
|
#
|
|
# # Docker Hub official images only (more restrictive)
|
|
# - registry: "docker.io/library"
|
|
# type: "insecureAcceptAnything"
|
|
# # Registry configuration
|
|
# insecure: false
|
|
# blocked: false
|
|
# unqualified_search: false
|
|
#
|
|
# # Specific trusted namespaces
|
|
# - registry: "quay.io/company"
|
|
# type: "signedBy"
|
|
# keyPath: "/etc/pki/containers/company.gpg"
|
|
# # Registry configuration
|
|
# insecure: false
|
|
# blocked: false
|
|
# unqualified_search: false
|
|
|
|
# Service management
|
|
podman_enable_socket: false
|
|
podman_enable_api_service: false
|
|
|
|
# Container management
|
|
podman_containers: []
|
|
# Example container configurations:
|
|
# podman_containers:
|
|
# # Basic web server container
|
|
# - name: nginx
|
|
# image: docker.io/nginx:latest
|
|
# state: started
|
|
# ports:
|
|
# - "8080:80"
|
|
# volumes:
|
|
# - "/etc/nginx/conf.d:/etc/nginx/conf.d:ro"
|
|
# env:
|
|
# NGINX_HOST: example.com
|
|
# restart_policy: always
|
|
# user: nginx
|
|
# networks:
|
|
# - podman
|
|
# labels:
|
|
# app: webserver
|
|
# version: "1.0"
|
|
# working_dir: /app
|
|
#
|
|
# # Advanced container with comprehensive configuration
|
|
# - name: app-server
|
|
# image: registry.example.com/myapp:v1.2.3
|
|
# state: started
|
|
# # Basic runtime options
|
|
# command: ["/app/start.sh", "--config", "/etc/app/config.yaml"]
|
|
# entrypoint: "/entrypoint.sh"
|
|
# user: "1000:1000"
|
|
# working_dir: /app
|
|
# hostname: app-server
|
|
# detach: true
|
|
# interactive: false
|
|
# tty: false
|
|
# auto_remove: false
|
|
# privileged: false
|
|
# read_only: false
|
|
# read_only_tmpfs: true
|
|
# init: true
|
|
#
|
|
# # Networking configuration
|
|
# networks:
|
|
# - frontend
|
|
# - backend
|
|
# ports:
|
|
# - "8080:8080"
|
|
# - "127.0.0.1:8081:8081/tcp"
|
|
# publish_all: false
|
|
# expose:
|
|
# - "9000"
|
|
# ip: "10.88.0.100"
|
|
# mac_address: "02:42:ac:11:00:02"
|
|
# network_aliases:
|
|
# - app
|
|
# - api
|
|
# dns:
|
|
# - "8.8.8.8"
|
|
# - "1.1.1.1"
|
|
# dns_options: "ndots:2"
|
|
# dns_search:
|
|
# - "example.com"
|
|
# - "local"
|
|
# add_hosts:
|
|
# database: "192.168.1.100"
|
|
# cache: "192.168.1.101"
|
|
# no_hosts: false
|
|
#
|
|
# # Storage and volumes
|
|
# volumes:
|
|
# - "/data/app:/app/data:rw"
|
|
# - "app-config:/etc/app:ro"
|
|
# volumes_from:
|
|
# - data-container
|
|
# mounts:
|
|
# - "type=bind,source=/host/path,destination=/container/path,ro"
|
|
# tmpfs:
|
|
# /tmp: "rw,size=100m,mode=1777"
|
|
# /var/cache: "rw,size=50m"
|
|
#
|
|
# # Environment variables
|
|
# env:
|
|
# DATABASE_URL: "postgresql://user:pass@db:5432/myapp"
|
|
# REDIS_URL: "redis://cache:6379/0"
|
|
# LOG_LEVEL: "info"
|
|
# FEATURE_FLAGS: "new_ui,api_v2"
|
|
# env_files:
|
|
# - "/etc/app/.env"
|
|
# env_host: false
|
|
# env_merge:
|
|
# PATH: "/app/bin:$PATH"
|
|
# unsetenv:
|
|
# - "TEMP_VAR"
|
|
#
|
|
# # Resource constraints
|
|
# memory: "2g"
|
|
# memory_reservation: "1g"
|
|
# memory_swap: "4g"
|
|
# memory_swappiness: 60
|
|
# cpus: "1.5"
|
|
# cpu_shares: 1024
|
|
# cpu_period: 100000
|
|
# cpu_quota: 150000
|
|
# cpuset_cpus: "0-1"
|
|
# cpuset_mems: "0"
|
|
# blkio_weight: 500
|
|
# blkio_weight_device:
|
|
# "/dev/sda": 600
|
|
# oom_kill_disable: false
|
|
# oom_score_adj: 500
|
|
# pids_limit: "1000"
|
|
#
|
|
# # Device access
|
|
# devices:
|
|
# - "/dev/nvidia0:/dev/nvidia0:rwm"
|
|
# - "/dev/sda:/dev/xvda:ro"
|
|
# device_read_bps:
|
|
# - "/dev/sda:1mb"
|
|
# device_write_bps:
|
|
# - "/dev/sda:1mb"
|
|
# device_read_iops:
|
|
# - "/dev/sda:1000"
|
|
# device_write_iops:
|
|
# - "/dev/sda:1000"
|
|
# gpus: "all"
|
|
#
|
|
# # Security configuration
|
|
# security_opt:
|
|
# - "seccomp=unconfined"
|
|
# - "label=type:container_runtime_t"
|
|
# cap_add:
|
|
# - "NET_ADMIN"
|
|
# - "SYS_TIME"
|
|
# cap_drop:
|
|
# - "MKNOD"
|
|
# - "AUDIT_WRITE"
|
|
# userns: "host"
|
|
# uidmap:
|
|
# - "0:1000:1000"
|
|
# gidmap:
|
|
# - "0:1000:1000"
|
|
# subuidname: "myuser"
|
|
# subgidname: "myuser"
|
|
# groups:
|
|
# - "docker"
|
|
# - "audio"
|
|
#
|
|
# # Namespaces
|
|
# ipc_mode: "container:other-container"
|
|
# pid_mode: "host"
|
|
# uts: "host"
|
|
# cgroupns: "host"
|
|
#
|
|
# # Cgroups
|
|
# cgroups: "enabled"
|
|
# cgroup_parent: "/system.slice"
|
|
# cgroup_conf:
|
|
# "memory.swappiness": "10"
|
|
#
|
|
# # System configuration
|
|
# sysctl:
|
|
# net.core.somaxconn: "1024"
|
|
# kernel.shm_rmid_forced: "1"
|
|
# systemd: "true"
|
|
# ulimits:
|
|
# - "nofile=65536:65536"
|
|
# - "nproc=4096:4096"
|
|
# umask: "0027"
|
|
#
|
|
# # Shared memory
|
|
# shm_size: "128m"
|
|
# shm_size_systemd: "64m"
|
|
#
|
|
# # Pod integration
|
|
# pod: "app-pod"
|
|
#
|
|
# # Logging
|
|
# log_driver: "journald"
|
|
# log_options:
|
|
# max_size: "10mb"
|
|
# max_files: "3"
|
|
# tag: "app-server"
|
|
# log_level: "info"
|
|
#
|
|
# # Health checks
|
|
# healthcheck: "curl -f http://localhost:8080/health || exit 1"
|
|
# healthcheck_interval: "30s"
|
|
# healthcheck_timeout: "10s"
|
|
# healthcheck_start_period: "60s"
|
|
# healthcheck_retries: 3
|
|
# healthcheck_failure_action: "restart"
|
|
# no_healthcheck: false
|
|
#
|
|
# # Startup health checks
|
|
# health_startup_cmd: "curl -f http://localhost:8080/ready || exit 1"
|
|
# health_startup_interval: "5s"
|
|
# health_startup_timeout: "3s"
|
|
# health_startup_retries: 20
|
|
# health_startup_success: 1
|
|
#
|
|
# # Metadata
|
|
# labels:
|
|
# app: "myapp"
|
|
# version: "1.2.3"
|
|
# environment: "production"
|
|
# maintainer: "team@example.com"
|
|
# annotations:
|
|
# "org.opencontainers.image.source": "https://github.com/example/myapp"
|
|
#
|
|
# # Container lifecycle
|
|
# restart_policy: "on-failure:3"
|
|
# restart_time: "10s"
|
|
# stop_signal: 15
|
|
# stop_time: "30s"
|
|
# stop_timeout: 30
|
|
# timeout: 0
|
|
#
|
|
# # Image options
|
|
# pull: "missing"
|
|
# image_strict: false
|
|
# arch: "amd64"
|
|
# platform: "linux/amd64"
|
|
#
|
|
# # Advanced options
|
|
# timezone: "UTC"
|
|
# requires:
|
|
# - "database-container"
|
|
#
|
|
# # Systemd integration
|
|
# generate_systemd:
|
|
# path: "/etc/systemd/system"
|
|
# restart_policy: "always"
|
|
# stop_timeout: 120
|
|
# names: true
|
|
# container_prefix: "container"
|
|
# new: false
|
|
# no_header: false
|
|
# wants:
|
|
# - "network-online.target"
|
|
# after:
|
|
# - "network-online.target"
|
|
# requires:
|
|
# - "postgresql.service"
|
|
#
|
|
# # Control options
|
|
# recreate: false
|
|
# force_restart: false
|
|
# debug: false
|
|
#
|
|
# # Database container with quadlet
|
|
# - name: postgres
|
|
# image: docker.io/postgres:15
|
|
# state: quadlet
|
|
# env:
|
|
# POSTGRES_DB: myapp
|
|
# POSTGRES_USER: appuser
|
|
# POSTGRES_PASSWORD: secretpass
|
|
# volumes:
|
|
# - "postgres-data:/var/lib/postgresql/data"
|
|
# ports:
|
|
# - "5432:5432"
|
|
# networks:
|
|
# - backend
|
|
# memory: "4g"
|
|
# cpu_shares: 2048
|
|
# healthcheck: "pg_isready -U appuser -d myapp"
|
|
# healthcheck_interval: "10s"
|
|
# healthcheck_timeout: "5s"
|
|
# healthcheck_retries: 5
|
|
# quadlet_dir: "/etc/containers/systemd"
|
|
# quadlet_filename: "postgres-db"
|
|
# quadlet_file_mode: "0640"
|
|
# quadlet_options:
|
|
# - "AutoUpdate=registry"
|
|
# - "Pull=newer"
|
|
# - |
|
|
# [Install]
|
|
# WantedBy=default.target
|
|
#
|
|
# # Privileged system container
|
|
# - name: monitoring-agent
|
|
# image: quay.io/prometheus/node-exporter:latest
|
|
# state: started
|
|
# privileged: true
|
|
# read_only: true
|
|
# pid_mode: "host"
|
|
# networks:
|
|
# - host
|
|
# volumes:
|
|
# - "/proc:/host/proc:ro"
|
|
# - "/sys:/host/sys:ro"
|
|
# - "/:/rootfs:ro"
|
|
# command:
|
|
# - "--path.procfs=/host/proc"
|
|
# - "--path.sysfs=/host/sys"
|
|
# - "--collector.filesystem.ignored-mount-points"
|
|
# ports:
|
|
# - "9100:9100"
|
|
# restart_policy: "always"
|
|
# user: "nobody"
|
|
# cap_drop:
|
|
# - "ALL"
|
|
# security_opt:
|
|
# - "no-new-privileges=true"
|
|
|
|
# Network management
|
|
podman_networks: []
|
|
# Example network configuration:
|
|
# podman_networks:
|
|
# - name: app-network
|
|
# driver: bridge
|
|
# subnet: "10.89.0.0/24"
|
|
# gateway: "10.89.0.1"
|
|
# state: present
|
|
# - name: frontend-network
|
|
# driver: bridge
|
|
# subnet: "172.20.0.0/16"
|
|
# gateway: "172.20.0.1"
|
|
# internal: true
|
|
# disable_dns: false
|
|
# dns:
|
|
# - "8.8.8.8"
|
|
# - "8.8.4.4"
|
|
# options:
|
|
# mtu: 1500
|
|
# vlan: 100
|
|
# - name: macvlan-network
|
|
# driver: macvlan
|
|
# macvlan: "eth0"
|
|
# subnet: "192.168.1.0/24"
|
|
# gateway: "192.168.1.1"
|
|
# ipam_driver: "host-local"
|
|
# - name: ipv6-network
|
|
# driver: bridge
|
|
# subnet: "fd00::/64"
|
|
# gateway: "fd00::1"
|
|
# ipv6: true
|
|
# route:
|
|
# - "10.10.0.0/16,192.168.1.1"
|
|
|
|
# Volume management
|
|
podman_volumes: []
|
|
# Example volume configuration:
|
|
# podman_volumes:
|
|
# - name: app-data
|
|
# state: present
|
|
# driver: local
|
|
# - name: database-volume
|
|
# state: present
|
|
# driver: local
|
|
# labels:
|
|
# environment: production
|
|
# backup: daily
|
|
# options:
|
|
# - "device=/dev/sdb1"
|
|
# - "type=ext4"
|
|
# - "o=rw"
|
|
# - name: tmpfs-volume
|
|
# state: present
|
|
# driver: tmpfs
|
|
# options:
|
|
# - "tmpfs-size=100m"
|
|
# - "tmpfs-mode=1777"
|
|
# - name: quadlet-volume
|
|
# state: quadlet
|
|
# driver: local
|
|
# quadlet_filename: "custom-volume"
|
|
# quadlet_file_mode: "0640"
|
|
# quadlet_options:
|
|
# - "Group=192"
|
|
# - "Copy=true"
|
|
# recreate: false
|
|
# debug: false
|
|
|
|
# Pod management
|
|
podman_pods: []
|
|
# Example pod configuration:
|
|
# podman_pods:
|
|
# - name: webapp-pod
|
|
# state: started
|
|
# ports:
|
|
# - "8080:80"
|
|
# - "3306:3306"
|
|
# networks:
|
|
# - frontend
|
|
# hostname: webapp
|
|
# dns:
|
|
# - "8.8.8.8"
|
|
# - "8.8.4.4"
|
|
# labels:
|
|
# app: webapp
|
|
# tier: frontend
|
|
# volumes:
|
|
# - "webapp-data:/data"
|
|
# infra: true
|
|
# infra_image: "k8s.gcr.io/pause:3.1"
|
|
# - name: database-pod
|
|
# state: created
|
|
# networks:
|
|
# - backend
|
|
# security_opt:
|
|
# - "seccomp=unconfined"
|
|
# memory: "2g"
|
|
# cpu_shares: "1024"
|
|
# add_host:
|
|
# - "database.local:127.0.0.1"
|
|
# share: "net,ipc"
|
|
# userns: "auto"
|
|
# - name: monitoring-pod
|
|
# state: started
|
|
# ports:
|
|
# - "9090:9090"
|
|
# device:
|
|
# - "/dev/sda:/dev/xvda:rwm"
|
|
# sysctl:
|
|
# net.core.somaxconn: "1024"
|
|
# shm_size: "128m"
|
|
# exit_policy: "stop"
|
|
# - name: quadlet-pod
|
|
# state: quadlet
|
|
# ports:
|
|
# - "4444:5555"
|
|
# volumes:
|
|
# - "/var/run/docker.sock:/var/run/docker.sock"
|
|
# quadlet_dir: "/etc/containers/systemd"
|
|
# quadlet_filename: "custom-pod"
|
|
# quadlet_file_mode: "0640"
|
|
# quadlet_options:
|
|
# - "AutoUpdate=registry"
|
|
# - "Pull=newer"
|
|
# generate_systemd:
|
|
# path: "/etc/systemd/system"
|
|
# restart_policy: "always"
|