-
Notifications
You must be signed in to change notification settings - Fork 101
Expand file tree
/
Copy pathdocker.yml
More file actions
167 lines (139 loc) · 4.65 KB
/
docker.yml
File metadata and controls
167 lines (139 loc) · 4.65 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
---
# docker.yml - configure Docker
- name: Directory for registry certs
ansible.builtin.file:
mode: 0700
path: "{{ docker.certs.path }}"
state: directory
- name: Docker TLS CA cert
ansible.builtin.copy:
dest: "{{ docker.certs.path }}/{{ docker.certs.ca_root }}"
mode: 0400
src: certs/{{ docker.certs.ca_root }}
- name: Docker TLS cert
ansible.builtin.copy:
dest: "{{ docker.certs.path }}/docker-tls-cert.pem"
mode: 0400
src: certs/docker-tls-cert.pem
- name: Docker TLS key
ansible.builtin.copy:
content: "{{ vault_cert_keys.docker_tls }}"
dest: "{{ docker.certs.path }}/docker-tls-key.pem"
mode: 0400
- name: Registry SSL cert
ansible.builtin.copy:
dest: "{{ docker.certs.path }}/domain.crt"
mode: 0400
src: certs/registry-cert.pem
- name: Registry SSL key
ansible.builtin.copy:
dest: "{{ docker.certs.path }}/domain.key"
content: "{{ vault_cert_keys.registry }}"
mode: 0400
- name: Add trusted root certificate(s)
ansible.builtin.copy:
dest: "{{ system_paths.ca_certs }}/docker-{{ item.strip('.pem') }}.crt"
mode: 0400
src: certs/{{ item }}
with_items: "{{ system_certs }}"
notify: Update CA certificates
- name: Update CA certs
ansible.builtin.command: update-ca-certificates
changed_when: False
# The Ubuntu package installer defines ExecStart option that conflicts
# with our daemon.json. Need to suppress daemon startup until after
# the ExecStart option is updated via lineinfile below. Note:
# changed_when feature of ansible merely keeps these toggle actions
# out of play-recap change list.
- name: Temporarily disable systemctl start - policy-rc
ansible.builtin.copy:
content: "#/bin/sh\necho Disabled by ansible: systemctl start\nexit 101\n"
dest: /usr/sbin/policy-rc.d
mode: 0755
changed_when: False
- name: Temporarily disable systemctl start - mask docker.service
ansible.builtin.file:
dest: /etc/systemd/system/docker.service
src: /dev/null
state: link
changed_when: False
- name: Configure docker service
block:
- name: Reload systemd
ansible.builtin.systemd:
daemon_reload: yes
changed_when: False
- name: Docker engine package
ansible.builtin.apt:
name: "{{ docker.apt_repo.package_name }}={{ docker.apt_repo.package_ver }}"
update_cache: yes
- name: Options directory
ansible.builtin.file:
dest: /etc/docker
state: directory
- name: Docker options
ansible.builtin.copy:
content: "{{ docker.options|to_nice_json }}"
dest: /etc/docker/daemon.json
notify: Restart docker
- name: Systemd override path for docker.service
ansible.builtin.file:
dest: /lib/systemd/system/docker.service.d
state: directory
- name: Deal with conflicting systemd-unit option, await vol mount
ansible.builtin.template:
dest: /lib/systemd/system/docker.service.d/docker.service.conf
src: docker.service.conf.j2
notify: Reload systemd
- name: Systemd unit file for enabling /var/lib/docker/volumes monitoring
ansible.builtin.copy:
dest: /etc/systemd/system/docker-permissions.service
src: docker-permissions.service
# TODO parse fstab seeking last luks line
always:
- name: Reenable systemctl start
ansible.builtin.file:
path: /usr/sbin/policy-rc.d
state: absent
changed_when: False
- name: Unmask docker.service
ansible.builtin.file:
dest: /etc/systemd/system/docker.service
state: absent
changed_when: False
- name: Suppress annoying error on subcontainer 'ia_addr' logs
ansible.builtin.replace:
path: /lib/systemd/system/snmpd.service
regexp: 'snmpd -Lsd'
replace: 'snmpd -LSid'
notify: Restart snmpd
- name: Reload systemd again
ansible.builtin.systemd:
daemon_reload: yes
changed_when: False
- name: Enable docker.service
ansible.builtin.systemd:
enabled: yes
name: docker
- name: Enable docker-permissions.service
ansible.builtin.systemd:
enabled: yes
name: docker-permissions
- name: Download docker-compose (deprecated since V2 release)
ansible.builtin.get_url:
checksum: sha256:{{ docker.compose.sha256 }}
dest: /usr/local/bin/docker-compose
mode: 0755
url: https://github.com/docker/compose/releases/download/{{
docker.compose.version }}/docker-compose-Linux-x86_64
when: ansible_distribution_version < '22.04'
- name: Sysctl tuning parameters
ansible.builtin.sysctl:
name: "{{ item.key }}"
value: "{{ item.value }}"
sysctl_set: yes
with_dict: "{{ sysctl }}"
- name: Docker service
ansible.builtin.service:
name: docker
state: started