14.2. Creating a rootless container with bind mount by using the podman RHEL system role

Procedure

1. Create a playbook file, for example, ~/playbook.yml, with the following content:

   - name: Configure Podman
     hosts: managed-node-01.example.com
     tasks:
       - name: Create a web application and a database
         ansible.builtin.include_role:
           name: redhat.rhel_system_roles.podman
         vars:
           podman_create_host_directories: true
           podman_firewall:
             - port: 8080-8081/tcp
               state: enabled
             - port: 12340/tcp
               state: enabled
           podman_selinux_ports:
             - ports: 8080-8081
               setype: http_port_t
           podman_kube_specs:
             - state: started
               run_as_user: dbuser
               run_as_group: dbgroup
               kube_file_content:
                 apiVersion: v1
                 kind: Pod
                 metadata:
                   name: db
                 spec:
                   containers:
                     - name: db
                       image:  quay.io/rhel-system-roles/mysql:5.6
                       ports:
                         - containerPort: 1234
                           hostPort: 12340
                       volumeMounts:
                         - mountPath: /var/lib/db:Z
                           name: db
                   volumes:
                     - name: db
                       hostPath:
                         path: /var/lib/db
             - state: started
               run_as_user: webapp
               run_as_group: webapp
               kube_file_src: /path/to/webapp.yml

   The settings specified in the example playbook include the following:

   run_as_user and run_as_group

   Specify that containers are rootless.

   kube_file_content

   Contains a Kubernetes YAML file defining the first container named db. You can generate the Kubernetes YAML file by using the podman kube generate command.

   • The db container is based on the quay.io/db/db:stable container image.
   • The db bind mount maps the /var/lib/db directory on the host to the /var/lib/db directory in the container. The Z flag labels the content with a private unshared label, therefore, only the db container can access the content.

   kube_file_src: <path>

   Defines the second container. The content of the /path/to/webapp.yml file on the controller node will be copied to the kube_file field on the managed node.

   volumes: <list>

   A YAML list to define the source of the data to provide in one or more containers. For example, a local disk on the host (hostPath) or other disk device.

   volumeMounts: <list>

   A YAML list to define the destination where the individual container will mount a given volume.

   podman_create_host_directories: true

   Creates the directory on the host. This instructs the role to check the kube specification for hostPath volumes and create those directories on the host. If you need more control over the ownership and permissions, use podman_host_directories.

   For details about all variables used in the playbook, see the /usr/share/ansible/roles/rhel-system-roles.podman/README.md file on the control node.

2. Validate the playbook syntax:

   $ ansible-playbook --syntax-check --ask-vault-pass ~/playbook.yml

   Note that this command only validates the syntax and does not protect against a wrong but valid configuration.

3. Run the playbook:

   $ ansible-playbook --ask-vault-pass ~/playbook.yml