roles/docker: Install and set up Docker daemon

The *docker* role configures the Docker daemon on the managed machine.
2019-09-19 17:21:15 -05:00 · 2019-09-19 17:21:15 -05:00 · 1f535e980f
parent e7ad80d173
commit 1f535e980f
16 changed files with 267 additions and 0 deletions
--- a/docker.yml
+++ b/docker.yml
@ -0,0 +1,3 @@
+- hosts: docker
+  roles:
+  - docker
--- a/2
+++ b/2
@ -26,6 +26,8 @@ vm-hosts
 [dhcpd:children]
 pyrocufflink-dhcp

+[docker]
+
 [file-servers]
 file0.pyrocufflink.blue

--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@ -0,0 +1,6 @@
+docker_pkg: docker
+docker_allow_unprivileged: false
+docker_log_level: info
+docker_enable_tls: false
+docker_allow_outside: false
+docker_listen_port: 2376
--- a/roles/docker/files/generate-docker-key.sh
+++ b/roles/docker/files/generate-docker-key.sh
@ -0,0 +1,20 @@
+#!/bin/sh
+
+set -ex
+
+: ${DOCKER_SVC:=${1:-docker}}
+
+dropin=/etc/systemd/system/${DOCKER_SVC}.service.d/protect-system.conf
+
+systemctl stop ${DOCKER_SVC}
+if [ -f ${dropin} ]; then
+	mv ${dropin} ${dropin}.disabled
+	systemctl daemon-reload
+fi
+systemctl start ${DOCKER_SVC}
+test -f /etc/docker/key.json
+systemctl stop ${DOCKER_SVC}
+if [ -f ${dropin}.disabled ]; then
+	mv ${dropin}.disabled ${dropin}
+	systemctl daemon-reload
+fi
--- a/roles/docker/files/protect-system.systemd.conf
+++ b/roles/docker/files/protect-system.systemd.conf
@ -0,0 +1,4 @@
+[Service]
+ReadOnlyDirectories=/
+ReadWriteDirectories=/var /run /proc /sys/fs/cgroup /dev/pts
+PrivateTmp=true
--- a/roles/docker/files/reset-docker-storage.sh
+++ b/roles/docker/files/reset-docker-storage.sh
@ -0,0 +1,16 @@
+#!/bin/sh
+
+: ${DOCKER_SVC:=${1:-docker}}
+
+
+systemctl stop ${DOCKER_SVC} ${DOCKER_SVC}-storage-setup
+
+docker_pool=$(/sbin/lvm lvs | awk '$1=="docker-pool"{printf "%s/%s\n",$2,$1}')
+if [ -n "${docker_pool}" ]; then
+	/sbin/lvm lvchange -an "${docker_pool}"
+	/sbin/lvm lvremove "${docker_pool}"
+fi
+
+rm -f /etc/sysconfig/${DOCKER_SVC}-storage
+
+find /var/lib/docker -mindepth 1 -delete
--- a/roles/docker/handlers/main.yml
+++ b/roles/docker/handlers/main.yml
@ -0,0 +1,11 @@
+- name: reload systemd
+  command: systemctl daemon-reload
+- name: reset docker storage
+  script:
+     reset-docker-storage.sh {{ docker_service }}
+- name: restart docker
+  service:
+    name={{ docker_service }}
+    state=restarted
+- name: save firewalld configuration
+  command: firewall-cmd --runtime-to-permanent
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@ -0,0 +1,105 @@
+- name: load configuration variables
+  include_vars: '{{ docker_pkg }}.yml'
+- name: ensure docker is installed
+  package:
+    name={{ docker_pkg }}
+    state=present
+
+- name: ensure docker group exists
+  group:
+    name=docker
+    system=yes
+    state=present
+  when: docker_allow_unprivileged|d|bool
+
+- name: ensure docker storage is configured
+  template:
+    src=docker-storage-setup.j2
+    dest=/etc/sysconfig/{{ docker_storage_setup }}
+    mode=0644
+  notify: reset docker storage
+- name: ensure docker is configured
+  template:
+    src={{ docker_service }}.sysconfig.j2
+    dest=/etc/sysconfig/{{ docker_service }}
+  notify: restart docker
+
+- name: ensure ip forwarding is enabled
+  sysctl:
+    name=net.ipv4.ip_forward
+    value=1
+    sysctl_file=/etc/sysctl.d/70-ip_forward.conf
+
+- name: ensure docker daemon is configured
+  template:
+    src: daemon.json.j2
+    dest: /etc/docker/daemon.json
+    mode: '0644'
+  notify: restart docker
+
+- name: ensure docker server certificate is installed
+  copy:
+    src: '{{ item }}'
+    dest: /etc/pki/tls/certs/docker.cer
+    mode: '0644'
+  with_fileglob:
+  - certs/docker/{{ inventory_hostname }}/docker.cer
+- name: ensure docker server private key is installed
+  copy:
+    src: '{{ item }}'
+    dest: /etc/pki/tls/private/docker.key
+    mode: '0400'
+  with_fileglob:
+  - certs/docker/{{ inventory_hostname }}/docker.key
+- name: ensure docker client ca certificate is installed
+  copy:
+    src: '{{ item }}'
+    dest: /etc/pki/tls/certs/docker-ca.crt
+    mode: '0644'
+  with_fileglob:
+  - certs/docker/{{ inventory_hostname }}/docker-ca.crt
+
+- name: ensure docker trust key file exists
+  script:
+    generate-docker-key.sh
+    creates=/etc/docker/key.json
+- name: ensure docker systemd unit extension directory exists
+  file:
+    path=/etc/systemd/system/{{ docker_service }}.service.d
+    mode=0755
+    state=directory
+#- name: ensure system protection is configured for the docker daemon
+#  copy:
+#    src=protect-system.systemd.conf
+#    dest=/etc/systemd/system/{{ docker_service }}.service.d/protect-system.conf
+#    mode=0644
+#  notify:
+#  - reload systemd
+#  - restart docker
+- name: ensure docker daemon is configured to use http proxy
+  template:
+    src=http-proxy.conf.j2
+    dest=/etc/systemd/system/{{ docker_service }}.service.d/http-proxy.conf
+    mode=0644
+  notify:
+  - reload systemd
+  - restart docker
+
+- name: ensure firewall is configured for docker
+  firewalld:
+    port: '{{ docker_listen_port }}/tcp'
+    state: '{{ "enabled" if docker_allow_outside else "disabled" }}'
+    permanent: false
+    immediate: true
+  notify: save firewalld configuration
+
+- name: ensure docker starts at boot
+  service:
+    name={{ docker_service }}
+    enabled=yes
+
+- meta: flush_handlers
+- name: ensure docker is running
+  service:
+    name={{ docker_service }}
+    state=started
--- a/roles/docker/templates/daemon.json.j2
+++ b/roles/docker/templates/daemon.json.j2
@ -0,0 +1,16 @@
+{
+{% if docker_enable_tls %}
+    "tls": true,
+    "tlscert": "/etc/pki/tls/certs/docker.cer",
+    "tlskey": "/etc/pki/tls/private/docker.key",
+    "tlsverify": true,
+    "tlscacert": "/etc/pki/tls/certs/docker-ca.crt",
+    "hosts": [
+{% if docker_allow_outside %}
+        "tcp://[::]:{{ docker_listen_port }}",
+{% endif %}
+        "unix:///var/run/docker.sock"
+    ],
+{% endif %}
+    "log-level": "{{ docker_log_level }}"
+}
--- a/roles/docker/templates/docker-latest.sysconfig.j2
+++ b/roles/docker/templates/docker-latest.sysconfig.j2
@ -0,0 +1,34 @@
+# /etc/sysconfig/docker-latest
+
+# Modify these options if you want to change the way the docker daemon runs
+OPTIONS='{% if docker_allow_unprivileged|bool %}-G docker {% endif %}--selinux-enabled'
+DOCKER_CERT_PATH=/etc/docker
+
+# If you want to add your own registry to be used for docker search and docker
+# pull use the #ADD_REGISTRY option to list a set of registries, each prepended
+# with --add-registry flag. The first registry added will be the first registry
+# searched.
+#ADD_REGISTRY='--add-registry registry.access.redhat.com'
+
+# If you want to block registries from being used, uncomment the BLOCK_REGISTRY
+# option and give it a set of registries, each prepended with --block-registry
+# flag. For example adding docker.io will stop users from downloading images
+# from docker.io
+# BLOCK_REGISTRY='--block-registry'
+
+# Enable insecure registry communication by appending the registry URL
+# to the INSECURE_REGISTRY variable below and uncommenting it
+# INSECURE_REGISTRY='--insecure-registry '
+
+# On SELinux System, if you remove the --selinux-enabled option, you
+# also need to turn on the docker_transition_unconfined boolean.
+# setsebool -P docker_transition_unconfined
+
+# Location used for temporary files, such as those created by
+# docker load and build operations. Default is /var/lib/docker/tmp
+# Can be overriden by setting the following environment variable.
+# DOCKER_TMPDIR=/var/tmp
+
+# Controls the /etc/cron.daily/docker-logrotate cron job status.
+# To disable, uncomment the line below.
+# LOGROTATE=false
--- a/roles/docker/templates/docker-storage-setup.j2
+++ b/roles/docker/templates/docker-storage-setup.j2
@ -0,0 +1,14 @@
+# Edit this file to override any configuration options specified in
+# /usr/lib/{{ docker_storage_setup }}/{{ docker_storage_setup }}.
+#
+# For more details refer to "man {{ docker_storage_setup }}"
+
+{% if docker_storage_devs is defined %}
+DEVS="{{ docker_storage_devs|join(' ') }}"
+{% endif %}
+{% if docker_storage_vg is defined %}
+VG={{ docker_storage_vg }}
+{% endif %}
+{% if docker_storage_data_size is defined %}
+DATA_SIZE={{ docker_storage_data_size }}
+{% endif %}
--- a/roles/docker/templates/docker.sysconfig.j2
+++ b/roles/docker/templates/docker.sysconfig.j2
@ -0,0 +1,18 @@
+# /etc/sysconfig/docker
+
+# Modify these options if you want to change the way the docker daemon runs
+OPTIONS='{% if docker_allow_unprivileged|bool %}-G docker {% endif %}--selinux-enabled --log-driver=journald --signature-verification=false'
+if [ -z "${DOCKER_CERT_PATH}" ]; then
+    DOCKER_CERT_PATH=/etc/docker
+fi
+
+# Do not add registries in this file anymore. Use /etc/containers/registries.conf
+# from the atomic-registries package.
+#
+
+# docker-latest daemon can be used by starting the docker-latest unitfile.
+# To use docker-latest client, uncomment below lines
+#DOCKERBINARY=/usr/bin/docker-latest
+#DOCKERDBINARY=/usr/bin/dockerd-latest
+#DOCKER_CONTAINERD_BINARY=/usr/bin/docker-containerd-latest
+#DOCKER_CONTAINERD_SHIM_BINARY=/usr/bin/docker-containerd-shim-latest
--- a/roles/docker/templates/http-proxy.conf.j2
+++ b/roles/docker/templates/http-proxy.conf.j2
@ -0,0 +1,12 @@
+{% if http_proxy is defined or http_proxy is defined %}
+[Service]
+{% if http_proxy is defined %}
+Environment=HTTP_PROXY={{ http_proxy }}
+{% endif %}
+{% if https_proxy is defined %}
+Environment=HTTPS_PROXY={{ https_proxy }}
+{% endif %}
+{% if no_proxy is defined %}
+Environment=NO_PROXY={{ no_proxy|join(',') }}
+{% endif %}
+{% endif %}
--- a/roles/docker/vars/docker-latest.yml
+++ b/roles/docker/vars/docker-latest.yml
@ -0,0 +1,2 @@
+docker_storage_setup: docker-latest-storage-setup
+docker_service: docker-latest
--- a/roles/docker/vars/docker.yml
+++ b/roles/docker/vars/docker.yml
@ -0,0 +1,2 @@
+docker_storage_setup: docker-storage-setup
+docker_service: docker
--- a/roles/docker/vars/main.yml
+++ b/roles/docker/vars/main.yml
@ -0,0 +1,2 @@
+docker_service: docker-latest
+docker_storage_setup: docker-latest-storage-setup