Module - podman_container

This module provides for the following ansible plugin:

  • podman_container

Module Documentation

Start, stop, restart and manage Podman containers

Options

name

Name of the container

executable

Path to C(podman) executable if it is not in the C($PATH) on the machine running C(podman)

state

I(absent) - A container matching the specified name will be stopped and removed.

I(present) - Asserts the existence of a container matching the name and any provided configuration parameters. If no container matches the name, a container will be created. If a container matches the name but the provided configuration does not match, the container will be updated, if it can be. If it cannot be updated, it will be removed and re-created with the requested config. Image version will be taken into account when comparing configuration. Use the recreate option to force the re-creation of the matching container.

I(started) - Asserts there is a running container matching the name and any provided configuration. If no container matches the name, a container will be created and started. Use recreate to always re-create a matching container, even if it is running. Use force_restart to force a matching container to be stopped and restarted.

I(stopped) - Asserts that the container is first I(present), and then if the container is running moves it to a stopped state.

I(created) - Asserts that the container exists with given configuration. If container doesn't exist, the module creates it and leaves it in 'created' state. If configuration doesn't match or 'recreate' option is set, the container will be recreated

image

Repository path (or image name) and tag used to create the container. If an image is not found, the image will be pulled from the registry. If no tag is included, C(latest) will be used.

Can also be an image ID. If this is the case, the image is assumed to be available locally.

annotation

Add an annotation to the container. The format is key value, multiple times.

authfile

Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json (Not available for remote commands) You can also override the default path of the authentication file by setting the REGISTRY_AUTH_FILE environment variable. export REGISTRY_AUTH_FILE=path

blkio_weight

Block IO weight (relative weight) accepts a weight value between 10 and 1000

blkio_weight_device

Block IO weight (relative device weight, format DEVICE_NAME[:]WEIGHT).

cap_add

List of capabilities to add to the container.

cap_drop

List of capabilities to drop from the container.

cgroup_parent

Path to cgroups under which the cgroup for the container will be created. If the path is not absolute, the path is considered to be relative to the cgroups path of the init process. Cgroups will be created if they do not already exist.

cgroupns

Path to cgroups under which the cgroup for the container will be created.

cgroups

Determines whether the container will create CGroups. Valid values are enabled and disabled, which the default being enabled. The disabled option will force the container to not create CGroups, and thus conflicts with CGroup options cgroupns and cgroup-parent.

cidfile

Write the container ID to the file

cmd_args

Any additional command options you want to pass to podman command, cmd_args - ['--other-param', 'value'] Be aware module doesn't support idempotency if this is set.

conmon_pidfile

Write the pid of the conmon process to a file. conmon runs in a separate process than Podman, so this is necessary when using systemd to restart Podman containers.

command

Override command of container. Can be a string or a list.

cpu_period

Limit the CPU real-time period in microseconds

cpu_rt_period

Limit the CPU real-time period in microseconds. Limit the container's Real Time CPU usage. This flag tell the kernel to restrict the container's Real Time CPU usage to the period you specify.

cpu_rt_runtime

Limit the CPU real-time runtime in microseconds. This flag tells the kernel to limit the amount of time in a given CPU period Real Time tasks may consume.

cpu_shares

CPU shares (relative weight)

cpus

Number of CPUs. The default is 0.0 which means no limit.

cpuset_cpus

CPUs in which to allow execution (0-3, 0,1)

cpuset_mems

Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems.

detach

Run container in detach mode

debug

Return additional information which can be helpful for investigations.

detach_keys

Override the key sequence for detaching a container. Format is a single character or ctrl-value

device

Add a host device to the container. The format is <device-on-host>[:<device-on-container>][:<permissions>] (e.g. device /dev/sdc:/dev/xvdc:rwm)

device_read_bps

Limit read rate (bytes per second) from a device (e.g. device-read-bps /dev/sda:1mb)

device_read_iops

Limit read rate (IO per second) from a device (e.g. device-read-iops /dev/sda:1000)

device_write_bps

Limit write rate (bytes per second) to a device (e.g. device-write-bps /dev/sda:1mb)

device_write_iops

Limit write rate (IO per second) to a device (e.g. device-write-iops /dev/sda:1000)

dns

Set custom DNS servers

dns_option

Set custom DNS options

dns_search

Set custom DNS search domains (Use dns_search with '' if you don't wish to set the search domain)

entrypoint

Overwrite the default ENTRYPOINT of the image

env

Set environment variables. This option allows you to specify arbitrary environment variables that are available for the process that will be launched inside of the container.

env_file

Read in a line delimited file of environment variables. Doesn't support idempotency. If users changes the file with environment variables it's on them to recreate the container.

env_host

Use all current host environment variables in container. Defaults to false.

etc_hosts

Dict of host-to-IP mappings, where each host name is a key in the dictionary. Each host name will be added to the container's /etc/hosts file.

expose

Expose a port, or a range of ports (e.g. expose "3300-3310") to set up port redirection on the host system.

force_restart

Force restart of container.

gidmap

Run the container in a new user namespace using the supplied mapping.

group_add

Add additional groups to run as

healthcheck

Set or alter a healthcheck command for a container.

healthcheck_interval

Set an interval for the healthchecks (a value of disable results in no automatic timer setup) (default "30s")

healthcheck_retries

The number of retries allowed before a healthcheck is considered to be unhealthy. The default value is 3.

healthcheck_start_period

The initialization time needed for a container to bootstrap. The value can be expressed in time format like 2m3s. The default value is 0s

healthcheck_timeout

The maximum time allowed to complete the healthcheck before an interval is considered failed. Like start-period, the value can be expressed in a time format such as 1m22s. The default value is 30s

hostname

Container host name. Sets the container host name that is available inside the container.

http_proxy

By default proxy environment variables are passed into the container if set for the podman process. This can be disabled by setting the http_proxy option to false. The environment variables passed in include http_proxy, https_proxy, ftp_proxy, no_proxy, and also the upper case versions of those. Defaults to true

image_volume

Tells podman how to handle the builtin image volumes. The options are bind, tmpfs, or ignore (default bind)

image_strict

Whether to compare images in idempotency by taking into account a full name with registry and namespaces.

init

Run an init inside the container that forwards signals and reaps processes. The default is false.

init_path

Path to the container-init binary.

interactive

Keep STDIN open even if not attached. The default is false. When set to true, keep stdin open even if not attached. The default is false.

ip

Specify a static IP address for the container, for example '10.88.64.128'. Can only be used if no additional CNI networks to join were specified via 'network:', and if the container is not joining another container's network namespace via 'network container:<name|id>'. The address must be within the default CNI network's pool (default 10.88.0.0/16).

ipc

Default is to create a private IPC namespace (POSIX SysV IPC) for the container

kernel_memory

Kernel memory limit (format <number>[<unit>], where unit = b, k, m or g) Note - idempotency is supported for integers only.

label

Add metadata to a container, pass dictionary of label names and values

label_file

Read in a line delimited file of labels

log_driver

Logging driver. Used to set the log driver for the container. For example log_driver "k8s-file".

log_level

Logging level for Podman. Log messages above specified level ("debug"|"info"|"warn"|"error"|"fatal"|"panic") (default "error")

log_opt

Logging driver specific options. Used to set the path to the container log file.

mac_address

Specify a MAC address for the container, for example '92:d0:c6:0a:29:33'. Don't forget that it must be unique within one Ethernet network.

memory

Memory limit (format 10k, where unit = b, k, m or g) Note - idempotency is supported for integers only.

memory_reservation

Memory soft limit (format 100m, where unit = b, k, m or g) Note - idempotency is supported for integers only.

memory_swap

A limit value equal to memory plus swap. Must be used with the -m (--memory) flag. The swap LIMIT should always be larger than -m (--memory) value. By default, the swap LIMIT will be set to double the value of --memory Note - idempotency is supported for integers only.

memory_swappiness

Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100.

mount

Attach a filesystem mount to the container. bind or tmpfs For example mount "type=bind,source=/path/on/host,destination=/path/in/container"

network

Set the Network mode for the container * bridge create a network stack on the default bridge * none no networking * container:<name|id> reuse another container's network stack * host use the podman host network stack. * <network-name>|<network-id> connect to a user-defined network * ns:<path> path to a network namespace to join * slirp4netns use slirp4netns to create a user network stack. This is the default for rootless containers

no_hosts

Do not create /etc/hosts for the container Default is false.

oom_kill_disable

Whether to disable OOM Killer for the container or not. Default is false.

oom_score_adj

Tune the host's OOM preferences for containers (accepts -1000 to 1000)

pid

Set the PID mode for the container

pids_limit

Tune the container's PIDs limit. Set -1 to have unlimited PIDs for the container.

pod

Run container in an existing pod. If you want podman to make the pod for you, preference the pod name with "new:"

privileged

Give extended privileges to this container. The default is false.

publish

Publish a container's port, or range of ports, to the host. Format - ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort | containerPort In case of only containerPort is set, the hostPort will chosen randomly by Podman.

publish_all

Publish all exposed ports to random ports on the host interfaces. The default is false.

read_only

Mount the container's root filesystem as read only. Default is false

read_only_tmpfs

If container is running in --read-only mode, then mount a read-write tmpfs on /run, /tmp, and /var/tmp. The default is true

recreate

Use with present and started states to force the re-creation of an existing container.

restart_policy

Restart policy to follow when containers exit. Restart policy will not take effect if a container is stopped via the podman kill or podman stop commands. Valid values are * no - Do not restart containers on exit * on-failure[:max_retries] - Restart containers when they exit with a non-0 exit code, retrying indefinitely or until the optional max_retries count is hit * always - Restart containers when they exit, regardless of status, retrying indefinitely

rm

Automatically remove the container when it exits. The default is false.

rootfs

If true, the first argument refers to an exploded container on the file system. The default is false.

security_opt

Security Options. For example security_opt "seccomp=unconfined"

shm_size

Size of /dev/shm. The format is <number><unit>. number must be greater than 0. Unit is optional and can be b (bytes), k (kilobytes), m(megabytes), or g (gigabytes). If you omit the unit, the system uses bytes. If you omit the size entirely, the system uses 64m

sig_proxy

Proxy signals sent to the podman run command to the container process. SIGCHLD, SIGSTOP, and SIGKILL are not proxied. The default is true.

stop_signal

Signal to stop a container. Default is SIGTERM.

stop_timeout

Timeout (in seconds) to stop a container. Default is 10.

subgidname

Run the container in a new user namespace using the map with 'name' in the /etc/subgid file.

subuidname

Run the container in a new user namespace using the map with 'name' in the /etc/subuid file.

sysctl

Configure namespaced kernel parameters at runtime

systemd

Run container in systemd mode. The default is true.

tmpfs

Create a tmpfs mount. For example tmpfs "/tmp" "rw,size=787448k,mode=1777"

tty

Allocate a pseudo-TTY. The default is false.

uidmap

Run the container in a new user namespace using the supplied mapping.

ulimit

Ulimit options

user

Sets the username or UID used and optionally the groupname or GID for the specified command.

userns

Set the user namespace mode for the container. It defaults to the PODMAN_USERNS environment variable. An empty value means user namespaces are disabled.

uts

Set the UTS mode for the container

volume

Create a bind mount. If you specify, volume /HOST-DIR:/CONTAINER-DIR, podman bind mounts /HOST-DIR in the host to /CONTAINER-DIR in the podman container.

volumes_from

Mount volumes from the specified container(s).

workdir

Working directory inside the container. The default working directory for running binaries within a container is the root directory (/).

Authors

Sagi Shnaidman (@sshnaidm)

Example Tasks

- name: Run container
  podman_container:
    name: container
    image: quay.io/bitnami/wildfly
    state: started

- name: Create a data container
  podman_container:
    name: mydata
    image: busybox
    volume:
    - /tmp/data

- name: Re-create a redis container
  podman_container:
    name: myredis
    image: redis
    command: redis-server --appendonly yes
    state: present
    recreate: yes
    expose:
    - 6379
    volumes_from:
    - mydata

- name: Restart a container
  podman_container:
    name: myapplication
    image: redis
    state: started
    restart: yes
    etc_hosts:
      other: 127.0.0.1
    restart_policy: no
    device: /dev/sda:/dev/xvda:rwm
    ports:
    - 8080:9000
    - 127.0.0.1:8081:9001/udp
    env:
      SECRET_KEY: ssssh
      BOOLEAN_KEY: yes

- name: Container present
  podman_container:
    name: mycontainer
    state: present
    image: ubuntu:14.04
    command: sleep 1d

- name: Stop a container
  podman_container:
    name: mycontainer
    state: stopped

- name: Start 4 load-balanced containers
  podman_container:
    name: container{{ item }}
    recreate: yes
    image: someuser/anotherappimage
    command: sleep 1d
  with_sequence: count=4

- name: remove container
  podman_container:
    name: ohno
    state: absent

- name: Writing output
  podman_container:
    name: myservice
    image: busybox
    log_options: path=/var/log/container/mycontainer.json
    log_driver: k8s-file