containers.podman.podman_container module – Manage podman containers¶
Note
This module is part of the containers.podman collection (version 1.16.2).
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install containers.podman
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: containers.podman.podman_container
.
New in containers.podman 1.0.0
Synopsis¶
Start, stop, restart and manage Podman containers
Requirements¶
The below requirements are needed on the host that executes this module.
podman
Parameters¶
Parameter |
Comments |
---|---|
Add an annotation to the container. The format is key value, multiple times. |
|
Set the architecture for the container. Override the architecture, defaults to hosts, of the image to be pulled. For example, arm. |
|
Attach to STDIN, STDOUT or STDERR. The default in Podman is false. Choices:
|
|
Path of the authentication file. Default is ``${XDG_RUNTIME_DIR}/containers/auth.json`` (Not available for remote commands) You can also override the default path of the authentication file by setting the ``REGISTRY_AUTH_FILE`` environment variable. ``export REGISTRY_AUTH_FILE=path`` |
|
Block IO weight (relative weight) accepts a weight value between 10 and 1000 |
|
Block IO weight (relative device weight, format DEVICE_NAME[:]WEIGHT). |
|
List of capabilities to add to the container. |
|
List of capabilities to drop from the container. |
|
When running on cgroup v2, specify the cgroup file to write to and its value. |
|
Path to cgroups under which the cgroup for the container will be created. If the path is not absolute, the path is considered to be relative to the cgroups path of the init process. Cgroups will be created if they do not already exist. |
|
Path to cgroups under which the cgroup for the container will be created. |
|
Determines whether the container will create CGroups. Valid values are enabled and disabled, which the default being enabled. The disabled option will force the container to not create CGroups, and thus conflicts with CGroup options cgroupns and cgroup-parent. |
|
Path to a directory inside the container that is treated as a chroot directory. |
|
Write the container ID to the file |
|
Any additional command options you want to pass to podman command itself, for example |
|
Override command of container. Can be a string or a list. |
|
Write the pid of the conmon process to a file. conmon runs in a separate process than Podman, so this is necessary when using systemd to restart Podman containers. |
|
Limit the CPU CFS (Completely Fair Scheduler) period |
|
Limit the CPU CFS (Completely Fair Scheduler) quota |
|
Limit the CPU real-time period in microseconds. Limit the container’s Real Time CPU usage. This flag tell the kernel to restrict the container’s Real Time CPU usage to the period you specify. |
|
Limit the CPU real-time runtime in microseconds. This flag tells the kernel to limit the amount of time in a given CPU period Real Time tasks may consume. |
|
CPU shares (relative weight) |
|
Number of CPUs. The default is 0.0 which means no limit. |
|
CPUs in which to allow execution (0-3, 0,1) |
|
Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems. |
|
Return additional information which can be helpful for investigations. Choices:
|
|
The “key-passphrase” to be used for decryption of images. Key can point to keys and/or certificates. |
|
Remove selected container and recursively remove all containers that depend on it. Applies to “delete” command. Choices:
|
|
Seconds to wait before forcibly stopping the container. Use -1 for infinite wait. Applies to “delete” command. |
|
Remove anonymous volumes associated with the container. This does not include named volumes created with podman volume create, or the –volume option of podman run and podman create. Choices:
|
|
Run container in detach mode Choices:
|
|
Override the key sequence for detaching a container. Format is a single character or ctrl-value |
|
Add a host device to the container. The format is <device-on-host>[:<device-on-container>][:<permissions>] (e.g. device /dev/sdc:/dev/xvdc:rwm) |
|
Add a rule to the cgroup allowed devices list. The rule is expected to be in the format specified in the Linux kernel documentation admin-guide/cgroup-v1/devices. |
|
Limit read rate (bytes per second) from a device (e.g. device-read-bps /dev/sda:1mb) |
|
Limit read rate (IO per second) from a device (e.g. device-read-iops /dev/sda:1000) |
|
Limit write rate (bytes per second) to a device (e.g. device-write-bps /dev/sda:1mb) |
|
Limit write rate (IO per second) to a device (e.g. device-write-iops /dev/sda:1000) |
|
Set custom DNS servers |
|
Set custom DNS options |
|
Set custom DNS search domains (Use dns_search with ‘’ if you don’t wish to set the search domain) |
|
Overwrite the default ENTRYPOINT of the image |
|
Set environment variables. This option allows you to specify arbitrary environment variables that are available for the process that will be launched inside of the container. |
|
Read in a line delimited file of environment variables. Doesn’t support idempotency. If users changes the file with environment variables it’s on them to recreate the container. The file must be present on the REMOTE machine where actual podman is running, not on the controller machine where Ansible is executing. If you need to copy the file from controller to remote machine, use the copy or slurp module. |
|
Use all current host environment variables in container. Defaults to false. Choices:
|
|
Preprocess default environment variables for the containers |
|
Dict of host-to-IP mappings, where each host name is a key in the dictionary. Each host name will be added to the container’s ``/etc/hosts`` file. |
|
Path to Default: |
|
Expose a port, or a range of ports (e.g. expose “3300-3310”) to set up port redirection on the host system. |
|
Force deletion of container when it’s being deleted. Choices:
|
|
Force restart of container. Choices:
|
|
Generate systemd unit file for container. Default: |
|
Add the systemd unit after (After=) option, that ordering dependencies between the list of dependencies and this service. |
|
Set the systemd unit name prefix for containers. The default is “container”. |
|
Use names of the containers for the start, stop, and description in the unit file. Default is true. Choices:
|
|
Create containers and pods when the unit is started instead of expecting them to exist. The default is “false”. Refer to podman-generate-systemd(1) for more information. Choices:
|
|
Do not generate the header including meta data such as the Podman version and the timestamp. From podman version 3.1.0. Choices:
|
|
Specify a path to the directory where unit files will be generated. Required for this option. If it doesn’t exist, the directory will be created. |
|
Set the systemd unit name prefix for pods. The default is “pod”. |
|
Set the systemd unit requires (Requires=) option. Similar to wants, but declares a stronger requirement dependency. |
|
Specify a restart policy for the service. The restart-policy must be one of “no”, “on-success”, “on-failure”, “on-abnormal”, “on-watchdog”, “on-abort”, or “always”. The default policy is “on-failure”. Choices:
|
|
Set the systemd service restartsec value. |
|
Set the systemd unit name separator between the name/id of a container/pod and the prefix. The default is “-” (dash). |
|
Override the default start timeout for the container with the given value. |
|
Override the default stop timeout for the container with the given value. Called `time` before version 4. |
|
Add the systemd unit wants (Wants=) option, that this service is (weak) dependent on. |
|
Run the container in a new user namespace using the supplied mapping. |
|
GPU devices to add to the container. |
|
Add additional groups to run as |
|
Customize the entry that is written to the /etc/group file within the container when –user is used. |
|
Set a startup healthcheck command for a container. |
|
Set an interval for the startup healthcheck. |
|
The number of attempts allowed before the startup healthcheck restarts the container. If set to 0, the container is never restarted. The default is 0. |
|
The number of successful runs required before the startup healthcheck succeeds and the regular healthcheck begins. A value of 0 means that any success begins the regular healthcheck. The default is 0. |
|
The maximum time a startup healthcheck command has to complete before it is marked as failed. |
|
Set or alter a healthcheck command for a container. |
|
The action to be taken when the container is considered unhealthy. The action must be one of “none”, “kill”, “restart”, or “stop”. The default policy is “none”. Choices:
|
|
Set an interval for the healthchecks (a value of disable results in no automatic timer setup) (default “30s”) |
|
The number of retries allowed before a healthcheck is considered to be unhealthy. The default value is 3. |
|
The initialization time needed for a container to bootstrap. The value can be expressed in time format like 2m3s. The default value is 0s |
|
The maximum time allowed to complete the healthcheck before an interval is considered failed. Like start-period, the value can be expressed in a time format such as 1m22s. The default value is 30s |
|
Each .json file in the path configures a hook for Podman containers. For more details on the syntax of the JSON files and the semantics of hook injection, see oci-hooks(5). Can be set multiple times. |
|
Container host name. Sets the container host name that is available inside the container. |
|
Add a user account to /etc/passwd from the host to the container. The Username or UID must exist on the host system. |
|
By default proxy environment variables are passed into the container if set for the podman process. This can be disabled by setting the http_proxy option to false. The environment variables passed in include http_proxy, https_proxy, ftp_proxy, no_proxy, and also the upper case versions of those. Defaults to true Choices:
|
|
Repository path (or image name) and tag used to create the container. If an image is not found, the image will be pulled from the registry. If no tag is included, Can also be an image ID. If this is the case, the image is assumed to be available locally. |
|
Whether to compare images in idempotency by taking into account a full name with registry and namespaces. Choices:
|
|
Tells podman how to handle the builtin image volumes. The options are bind, tmpfs, or ignore (default bind) Choices:
|
|
Run an init inside the container that forwards signals and reaps processes. The default is false. Choices:
|
|
(Pods only). When using pods, create an init style container, which is run after the infra container is started but before regular pod containers are started. Choices:
|
|
Path to the container-init binary. |
|
Keep STDIN open even if not attached. The default is false. When set to true, keep stdin open even if not attached. The default is false. Choices:
|
|
Specify a static IP address for the container, for example ‘10.88.64.128’. Can only be used if no additional CNI networks to join were specified via ‘network:’, and if the container is not joining another container’s network namespace via ‘network container:<name|id>’. The address must be within the default CNI network’s pool (default 10.88.0.0/16). |
|
Specify a static IPv6 address for the container |
|
Default is to create a private IPC namespace (POSIX SysV IPC) for the container |
|
Kernel memory limit (format <number>[<unit>], where unit = b, k, m or g) Note - idempotency is supported for integers only. |
|
Add metadata to a container, pass dictionary of label names and values |
|
Read in a line delimited file of labels |
|
Logging driver. Used to set the log driver for the container. For example log_driver “k8s-file”. Choices:
|
|
Logging level for Podman. Log messages above specified level (“debug”|”info”|”warn”|”error”|”fatal”|”panic”) (default “error”) Choices:
|
|
Logging driver specific options. Used to set the path to the container log file. |
|
Specify a max size of the log file (e.g 10mb). |
|
Specify a path to the log file (e.g. /var/log/container/mycontainer.json). |
|
Specify a custom log tag for the container. |
|
Specify a MAC address for the container, for example ‘92:d0:c6:0a:29:33’. Don’t forget that it must be unique within one Ethernet network. |
|
Memory limit (format 10k, where unit = b, k, m or g) Note - idempotency is supported for integers only. |
|
Memory soft limit (format 100m, where unit = b, k, m or g) Note - idempotency is supported for integers only. |
|
A limit value equal to memory plus swap. Must be used with the -m (–memory) flag. The swap LIMIT should always be larger than -m (–memory) value. By default, the swap LIMIT will be set to double the value of –memory Note - idempotency is supported for integers only. |
|
Tune a container’s memory swappiness behavior. Accepts an integer between 0 and 100. |
|
Attach a filesystem mount to the container. bind or tmpfs For example mount “type=bind,source=/path/on/host,destination=/path/in/container” |
|
Name of the container |
|
Set the Network mode for the container * bridge create a network stack on the default bridge * none no networking * container:<name|id> reuse another container’s network stack * host use the podman host network stack. * <network-name>|<network-id> connect to a user-defined network * ns:<path> path to a network namespace to join * slirp4netns use slirp4netns to create a user network stack. This is the default for rootless containers |
|
Add network-scoped alias for the container. A container will only have access to aliases on the first network that it joins. This is a limitation that will be removed in a later release. |
|
Disable any defined healthchecks for container. Choices:
|
|
Do not create /etc/hosts for the container Default is false. Choices:
|
|
Whether to disable OOM Killer for the container or not. Default is false. Choices:
|
|
Tune the host’s OOM preferences for containers (accepts -1000 to 1000) |
|
Override the OS, defaults to hosts, of the image to be pulled. For example, windows. |
|
Allow Podman to add entries to /etc/passwd and /etc/group when used in conjunction with the –user option. This is used to override the Podman provided user setup in favor of entrypoint configurations such as libnss-extrausers. Choices:
|
|
Customize the entry that is written to the /etc/passwd file within the container when –passwd is used. |
|
Personality sets the execution domain via Linux personality(2). |
|
Set the PID mode for the container |
|
When the pidfile location is specified, the container process’ PID is written to the pidfile. |
|
Tune the container’s PIDs limit. Set -1 to have unlimited PIDs for the container. |
|
Specify the platform for selecting the image. |
|
Run container in an existing pod. If you want podman to make the pod for you, prefix the pod name with “new:” |
|
Run container in an existing pod and read the pod’s ID from the specified file. When a container is run within a pod which has an infra-container, the infra-container starts first. |
|
Pass down to the process the additional file descriptors specified in the comma separated list. |
|
Pass down to the process N additional file descriptors (in addition to 0, 1, 2). The total FDs are 3\+N. |
|
Give extended privileges to this container. The default is false. Choices:
|
|
Publish a container’s port, or range of ports, to the host. Format - ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort | containerPort In case of only containerPort is set, the hostPort will chosen randomly by Podman. |
|
Publish all exposed ports to random ports on the host interfaces. The default is false. Choices:
|
|
Pull image policy. The default is ‘missing’. Choices:
|
|
Path to the directory to write quadlet file in. By default, it will be set as |
|
The permissions of the quadlet file. The If If Specifying |
|
Name of quadlet file to write. By default it takes |
|
Options for the quadlet file. Provide missing in usual container args options as a list of lines to add. |
|
Rdt-class sets the class of service (CLOS or COS) for the container to run in. Requires root. |
|
Mount the container’s root filesystem as read only. Default is false Choices:
|
|
If container is running in –read-only mode, then mount a read-write tmpfs on /run, /tmp, and /var/tmp. The default is true Choices:
|
|
Use with present and started states to force the re-creation of an existing container. Choices:
|
|
Specify one or more requirements. A requirement is a dependency container that will be started before this container. Containers can be specified by name or ID. |
|
Restart policy to follow when containers exit. Restart policy will not take effect if a container is stopped via the podman kill or podman stop commands. Valid values are * no - Do not restart containers on exit * on-failure[:max_retries] - Restart containers when they exit with a non-0 exit code, retrying indefinitely or until the optional max_retries count is hit * always - Restart containers when they exit, regardless of status, retrying indefinitely |
|
Seconds to wait before forcibly stopping the container when restarting. Use -1 for infinite wait. Applies to “restarted” status. |
|
Number of times to retry pulling or pushing images between the registry and local storage in case of failure. Default is 3. |
|
Duration of delay between retry attempts when pulling or pushing images between the registry and local storage in case of failure. |
|
Automatically remove the container when it exits. The default is false. Choices:
|
|
After exit of the container, remove the image unless another container is using it. Implies –rm on the new container. The default is false. Choices:
|
|
If true, the first argument refers to an exploded container on the file system. The default is false. Choices:
|
|
Determines how to use the NOTIFY_SOCKET, as passed with systemd and Type=notify. Can be container, conmon, ignore. |
|
Specify the policy to select the seccomp profile. |
|
Add the named secrets into the container. The format is |
|
Security Options. For example security_opt “seccomp=unconfined” |
|
Size of /dev/shm. The format is <number><unit>. number must be greater than 0. Unit is optional and can be b (bytes), k (kilobytes), m(megabytes), or g (gigabytes). If you omit the unit, the system uses bytes. If you omit the size entirely, the system uses 64m |
|
Size of systemd-specific tmpfs mounts such as /run, /run/lock, /var/log/journal and /tmp. |
|
Proxy signals sent to the podman run command to the container process. SIGCHLD, SIGSTOP, and SIGKILL are not proxied. The default is true. Choices:
|
|
absent - A container matching the specified name will be stopped and removed. present - Asserts the existence of a container matching the name and any provided configuration parameters. If no container matches the name, a container will be created. If a container matches the name but the provided configuration does not match, the container will be updated, if it can be. If it cannot be updated, it will be removed and re-created with the requested config. Image version will be taken into account when comparing configuration. Use the recreate option to force the re-creation of the matching container. started - Asserts there is a running container matching the name and any provided configuration. If no container matches the name, a container will be created and started. Use recreate to always re-create a matching container, even if it is running. Use force_restart to force a matching container to be stopped and restarted. stopped - Asserts that the container is first present, and then if the container is running moves it to a stopped state. created - Asserts that the container exists with given configuration. If container doesn’t exist, the module creates it and leaves it in ‘created’ state. If configuration doesn’t match or ‘recreate’ option is set, the container will be recreated quadlet - Write a quadlet file with the specified configuration. Choices:
|
|
Signal to stop a container. Default is SIGTERM. |
|
Seconds to wait before forcibly stopping the container. Use -1 for infinite wait. Applies to “stopped” status. |
|
Timeout (in seconds) to stop a container. Default is 10. |
|
Run the container in a new user namespace using the map with ‘name’ in the /etc/subgid file. |
|
Run the container in a new user namespace using the map with ‘name’ in the /etc/subuid file. |
|
Configure namespaced kernel parameters at runtime |
|
Run container in systemd mode. The default is true. |
|
Maximum time (in seconds) a container is allowed to run before conmon sends it the kill signal. By default containers run until they exit or are stopped by “podman stop”. |
|
Set timezone in container. This flag takes area-based timezones, GMT time, as well as local, which sets the timezone in the container to match the host machine. See /usr/share/zoneinfo/ for valid timezones. Remote connections use local containers.conf for defaults. |
|
Require HTTPS and verify certificates when pulling images. Choices:
|
|
Create a tmpfs mount. For example tmpfs “/tmp” “rw,size=787448k,mode=1777” |
|
Allocate a pseudo-TTY. The default is false. Choices:
|
|
Run the container in a new user namespace using the supplied mapping. |
|
Ulimit options |
|
Set the umask inside the container. Defaults to 0022. Remote connections use local containers.conf for defaults. |
|
Unset default environment variables for the container. |
|
Unset all default environment variables for the container. Choices:
|
|
Sets the username or UID used and optionally the groupname or GID for the specified command. |
|
Set the user namespace mode for the container. It defaults to the PODMAN_USERNS environment variable. An empty value means user namespaces are disabled. |
|
Set the UTS mode for the container |
|
Use VARIANT instead of the default architecture variant of the container image. |
|
Create a bind mount. If you specify, volume /HOST-DIR:/CONTAINER-DIR, podman bind mounts /HOST-DIR in the host to /CONTAINER-DIR in the podman container. |
|
Mount volumes from the specified container(s). |
|
Working directory inside the container. The default working directory for running binaries within a container is the root directory (/). |
Examples¶
- name: Run container
containers.podman.podman_container:
name: container
image: quay.io/bitnami/wildfly
state: started
- name: Create a data container
containers.podman.podman_container:
name: mydata
image: busybox
volume:
- /tmp/data
- name: Re-create a redis container with systemd service file generated in /tmp/
containers.podman.podman_container:
name: myredis
image: redis
command: redis-server --appendonly yes
state: present
recreate: true
expose:
- 6379
volumes_from:
- mydata
generate_systemd:
path: /tmp/
restart_policy: always
stop_timeout: 120
names: true
container_prefix: ainer
- name: Restart a container
containers.podman.podman_container:
name: myapplication
image: redis
state: started
restart: true
etc_hosts:
other: "127.0.0.1"
restart_policy: "no"
device: "/dev/sda:/dev/xvda:rwm"
ports:
- "8080:9000"
- "127.0.0.1:8081:9001/udp"
env:
SECRET_KEY: "ssssh"
BOOLEAN_KEY: "yes"
- name: Container present
containers.podman.podman_container:
name: mycontainer
state: present
image: ubuntu:14.04
command: "sleep 1d"
- name: Stop a container
containers.podman.podman_container:
name: mycontainer
state: stopped
- name: Start 4 load-balanced containers
containers.podman.podman_container:
name: "container{{ item }}"
recreate: true
image: someuser/anotherappimage
command: sleep 1d
with_sequence: count=4
- name: remove container
containers.podman.podman_container:
name: ohno
state: absent
- name: Writing output
containers.podman.podman_container:
name: myservice
image: busybox
log_options: path=/var/log/container/mycontainer.json
log_driver: k8s-file
- name: Run container with complex command with quotes
containers.podman.podman_container:
name: mycontainer
image: certbot/certbot
command:
- renew
- --deploy-hook
- "echo 1 > /var/lib/letsencrypt/complete"
- name: Create a Quadlet file
containers.podman.podman_container:
name: quadlet-container
image: nginx
state: quadlet
quadlet_filename: custome-container
quadlet_file_mode: '0640'
device: "/dev/sda:/dev/xvda:rwm"
ports:
- "8080:80"
volumes:
- "/var/www:/usr/share/nginx/html"
quadlet_options:
- "AutoUpdate=registry"
- "Pull=newer"
- |
[Install]
WantedBy=default.target
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
Facts representing the current state of the container. Matches the podman inspection output. Note that facts are part of the registered vars since Ansible 2.8. For compatibility reasons, the facts are also accessible directly as Empty if Returned: always Sample: |