Podman¶
Not currently included in the playbook
This playbook currently assumes that Podman is already installed on the system.
A dedicated podman role will be added later to manage installation and configuration of the service.
Overview¶
Podman is a daemonless container engine just like Docker but integrates more cleanly into Alma Linux (heck it's bundled in).
It's used to manage and create containers and supports Quadlet which "is a tool for running Podman containers under systemd in an optimal way by allowing containers to run under systemd in a declarative way." (Red Hat Blog).
"But why make systemd manage my containers?" you may ask. The reason is it provides higher levels of automated container management than Podman alone can.
Red Hat Blog
As the (now frozen) Quadlet repository says:
"However, there are also use cases where you want some kind of automatic container management, but on a smaller, single-node scale, and often more tightly integrated with the rest of the system. [...].
"The recommended way to do this is to use systemd to orchestrate the containers, since this is an already running process manager, [...].
Basically, anywhere you want to run a containerized system service without requiring human intervention, it's wise to use systemd to manage your locally running Podman containers.
Quadlets¶
Quadlet units still run regular Podman containers, but systemd becomes the process manager instead of Podman itself.
Ansible will create the .container file necessary for Quadlet and issues systemctl daemon-reload to make systemd create the .service unit.
You'll probably only have to manually intervene if the .container file's syntax or the service's configuration file is broken.
Common commands¶
Use systemctl start <service>.service, systemctl stop <service>.service and systemctl restart <service>.service to manage it.
To view its status use systemctl status <service>.service.
To see the logs, use journalctl -u <service>.service and you can add --no-pager if the text overflows horizontally.
Volumes¶
SELinux
I use SELinux and mount volumes, directories and files accordingly.
If you put :Z that means that file or directory will be labeled to be exclusive to the container.
I'll try to make it optional, so that you can use it on systems with no SELinux.
Shared access
To allow shared access of a file or directory, use the :z label.
If your system doesn't support SELinux, you may have to manually remove the :Z labels from the templates.
The containers use Podman-created named volumes where manual access to that data is not necessary, or there is no data worth backing up (for example, Caddy's data and config volumes).
In every other case, config files or volumes in need of backups (like Vaultwarden's database) from the host are mounted in the containers with appropriate labels.
Still containers though¶
Quadlet-managed containers still behave like normal containers. The only difference is that systemd controls their lifecycle. Podman names them using the pattern systemd-<service>.
Extras¶
Debugging¶
This should not be relevant as Ansible should handle everything.
But in case it is, once the template is copied you can use /usr/libexec/podman/quadlet --dryrun /etc/containers/systemd/<service-name>.container to manually verify the .container files.
Service Tracker¶
Note
This section tracks which services are migrated to Quadlets and is very temporary.
Hopefully I can remove this section soon as all will be Quadlets
| Service | Quadlet | Notes |
|---|---|---|
| Caddy | Stable | |
| Vaultwarden | Queued | |
| Grafana | Queued | |
| InfluxDB | Queued | |
| Telegraf | Needs runtime | |
| Mosquitto | Needs runtime |
Future¶
This will become a full role responsible for installing and configuring Podman to make the rest of the playbook function.