roles/docker: Install and set up Docker daemon

The *docker* role configures the Docker daemon on the managed machine.
2019-09-19 17:21:15 -05:00
parent e7ad80d173
commit 1f535e980f
16 changed files with 267 additions and 0 deletions
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -0,0 +1,105 @@
+- name: load configuration variables
+  include_vars: '{{ docker_pkg }}.yml'
+- name: ensure docker is installed
+  package:
+    name={{ docker_pkg }}
+    state=present
+
+- name: ensure docker group exists
+  group:
+    name=docker
+    system=yes
+    state=present
+  when: docker_allow_unprivileged|d|bool
+
+- name: ensure docker storage is configured
+  template:
+    src=docker-storage-setup.j2
+    dest=/etc/sysconfig/{{ docker_storage_setup }}
+    mode=0644
+  notify: reset docker storage
+- name: ensure docker is configured
+  template:
+    src={{ docker_service }}.sysconfig.j2
+    dest=/etc/sysconfig/{{ docker_service }}
+  notify: restart docker
+
+- name: ensure ip forwarding is enabled
+  sysctl:
+    name=net.ipv4.ip_forward
+    value=1
+    sysctl_file=/etc/sysctl.d/70-ip_forward.conf
+
+- name: ensure docker daemon is configured
+  template:
+    src: daemon.json.j2
+    dest: /etc/docker/daemon.json
+    mode: '0644'
+  notify: restart docker
+
+- name: ensure docker server certificate is installed
+  copy:
+    src: '{{ item }}'
+    dest: /etc/pki/tls/certs/docker.cer
+    mode: '0644'
+  with_fileglob:
+  - certs/docker/{{ inventory_hostname }}/docker.cer
+- name: ensure docker server private key is installed
+  copy:
+    src: '{{ item }}'
+    dest: /etc/pki/tls/private/docker.key
+    mode: '0400'
+  with_fileglob:
+  - certs/docker/{{ inventory_hostname }}/docker.key
+- name: ensure docker client ca certificate is installed
+  copy:
+    src: '{{ item }}'
+    dest: /etc/pki/tls/certs/docker-ca.crt
+    mode: '0644'
+  with_fileglob:
+  - certs/docker/{{ inventory_hostname }}/docker-ca.crt
+
+- name: ensure docker trust key file exists
+  script:
+    generate-docker-key.sh
+    creates=/etc/docker/key.json
+- name: ensure docker systemd unit extension directory exists
+  file:
+    path=/etc/systemd/system/{{ docker_service }}.service.d
+    mode=0755
+    state=directory
+#- name: ensure system protection is configured for the docker daemon
+#  copy:
+#    src=protect-system.systemd.conf
+#    dest=/etc/systemd/system/{{ docker_service }}.service.d/protect-system.conf
+#    mode=0644
+#  notify:
+#  - reload systemd
+#  - restart docker
+- name: ensure docker daemon is configured to use http proxy
+  template:
+    src=http-proxy.conf.j2
+    dest=/etc/systemd/system/{{ docker_service }}.service.d/http-proxy.conf
+    mode=0644
+  notify:
+  - reload systemd
+  - restart docker
+
+- name: ensure firewall is configured for docker
+  firewalld:
+    port: '{{ docker_listen_port }}/tcp'
+    state: '{{ "enabled" if docker_allow_outside else "disabled" }}'
+    permanent: false
+    immediate: true
+  notify: save firewalld configuration
+
+- name: ensure docker starts at boot
+  service:
+    name={{ docker_service }}
+    enabled=yes
+
+- meta: flush_handlers
+- name: ensure docker is running
+  service:
+    name={{ docker_service }}
+    state=started