AAP 2.5 with RHEL System Roles - Playbook using quadlets with pod and container (possible improvement).

[rathbunr]

I'm looking for recent, working Ansible playbooks that deploy a Podman pod and containers using the Quadlet method, with a focus on security best practices throughout. I encountered repeated issues where the playbook failed to create the necessary Quadlet files, and after extensive troubleshooting, I developed the working playbook below.

While this version functions as expected, I'm unsure if I'm fully leveraging the capabilities of the redhat.rhel_system_roles.podman role. The examples available on the Red Hat portal didn’t seem to work reliably in my environment (AAP 2.5 containerized), and I’d appreciate any insights into:

• Whether there are best practices or role features I might be missing
• Known issues or limitations with Quadlet support in the current Podman + Ansible ecosystem
• Examples of validated, secure playbooks that follow the Quadlet approach for rootless containers
• Removing or replacing elements of the play with proper methods
• Ultimately converting it to a template that can be shared with others to create a reusable example, so others don't need to pull their hair out.
• I know there is a lot of room for security improvements as well, but this is my first go around

ansible_rootless_hello_world.yml.txt

[eriksjolund]

Here is a possible security improvement.

If none of the containers need to create outgoing connections, you could disallow that by doing the following

• drop the pod
• create a custom network mynet.network that has Internal=true
• let all containers connect to mynet.network (in other words Network=mynet.network)
• configure nginx to use socket activation (you would also need to add Network=mynet.network to example1.container)

Currently you are using localhost when connecting with curl. That will not be work after dropping the pod.
Instead you could let curl connect using a name that can be set with ContainerName=.
If you want to connect to nginx from inside the custom network, use AddHost=myhost.example.com or host.containers.internal.

I see your API Server does not currently use socket activation

          Exec=python -m http.server 8088

To make the API server available to the internet, you would need to adjust your python code to use socket activation or you could configure nginx to act as an HTTP reverse proxy for the API Server.