Ansible no.3: ansible-bender

[2019/03/21] This time we have come together to talk about containers or their images managed by ansible. We have spoken about buildah and podman in concert with above mentioned system management tool.

Initial rehearsal

Actually before you begin you are expected to be familiar with some buzz-words. Let us try to associate their meaning with the context throughout the session.


Our old friend thus not need for further details and


Podman is a fully-featured container engine. It provides a Docker-compatible command line to ease the transition from other container engines. Most Podman commands can be run as a regular user, without requiring additional privileges. Furthermore, all of this is accomplished without a daemon!
— Podman 1.0 release

Well it is worth to say that podman is written in golang the magic ingredient of today’s fancy and successful projects. It comes from Red Hat and but is has been released into public domain (Apache-2.0 license, Github: tutorial/install).

Our original goal with Podman was to provide a fully-featured debugging experience for CRI-O, but it has become so much more.

Note-podman: Ubuntu users ~ at 16.04LTS you are out of luck :-( Debian, Ubuntu 18.04? Fedora/RHEL family welcome. Do you really want me to build from source and enjoy the hell of dependencies?


Buildah is an efficient way to create OCI images. It has a home at Github (Github:Containers/buildah). This is the second piece of puzzle. It is again made with golang. Again born in Red Hat (A daemon-haunted (container) world no longer: …).

Those two pieces has established a new wave of container management tools that are trying to get rid of old mistakes and undesired vulnerabilities. With all that in mind we can say: “The $king is dead, long live the $king!” Where let the variables be: Docker and Podman+Buildah (at this moment ;-)).

Note-buildah: Even Ubuntu 16.04 (Xenial) can build images. But cannot run containers as it lacks CRI-O by default. But can make it by PPA :-)

sudo add-apt-repository ppa:projectatomic/ppa sudo apt-get update

The session

Dockerfile is wrong ! However…

(brought by Tomáš Tomeček)

(slides / their source)


  • Dockerfile reborn (buildah bud . saves your life)
  • From scratch (of course be minimalist)
  • Bash copy (container image mounted)

then marry it with ansible though ~ ansible_bender

  • interface between ansible and buildah (stdin/out/err) it is just another -c buildah like ssh or local
  • you decide which layers are cached (up to apt upgrade or install ~ slow parts fast)
  • turn ansible playbook from SSH+VM to buildah-inside-container (without modifying the playbook!!!)
  • Docker take on the same topic: docker build -> Buildkit (after few years of stagnation)

plans ~ future is bright

kNative ~ k8s integration (build part by ansible-bender)

Hands-on warm-up

Let’s start in shell

export BASE_IMAGE=fedora:29
export CONT_NAME=prgcont

buildah unshare ‘…’ for unprivileged user — still buggy, so become root for now…

buildah pull $BASE_IMAGE
buildah from --name $CONT_NAME $BASE_IMAGE
printf "$CONT_NAME \
ansible_connection=buildah \
ansible_python_interpreter=/usr/bin/python3" >inventory-container
ansible-playbook -i inventory-container -c buildah ./recipe.yaml 
buildah commit --cmd '/' $CONT_NAME my-fancy-image 
buildah rm $(CONT_NAME)

push it among local docker images:

buildah push prgcont docker-daemon:prgcont:some-name

Hands on second part


We’ll do two common use cases in this workshop:

  1. Containerizing a test suite. (done)
  2. Running a web app in a container. (done)
ansible-bender push docker-daemon:hugo:latest

Tip: use sen (Github:TomasTomecek/sen) — a terminal UI for docker

QA Part

Question: How does the ansible interface with the buildah?

Answer: stdin/out/err, but the cousin project podman uses structured API called varlink (see FAQ of varlink).

One more thing

  • Quarkus — Red Hat’s take on Java Fast™
  • Drools (BPML) — slow java -> graalvm (AOT) made fast (from Red Hat blog Quarking Drools…)
  • OptaPlanner — a path optimizer (path for your VMs towards right hypervisor)


Question: How to replace legacy of Mirantis Openstack with something fresh?

Answer: Well there is a couple of other projects doing the same thing (deploy and manage Openstack). The well known are TripleO and its commercial cousin Redhat Director but what about to consider shrinking the problem into just making the VM behave like a container? Then it is worth to check the idea behind Container Native Virtualization (aka CNV see as preseneted on Red Hat Summit — May 2018).

Originally published at on March 21, 2019.