Secure Docker Daemon
Use to generate the key files and certificates needed to secure the Docker daemon. Certificates and keys are created on the target host, which will typically be the Docker daemon host. If you plan on connecting to the Docker daemon from a remote host, add a play in your playbook that uses the copy module to copy the client files to the remote host.
Configuring the daemon to actually use the certificates is a step you will need to add to your playbook or perform manually. How you add the required parameters to the service will depend on your environment. Here are the parameters you will add:
For the client, place the client certificates in your home directory at ~/.docker. If you'll be executing the client on the target machine, the role will handle this for you. You will also need to set the following environment variables:
You can source the docker_env.sh script generated by this role to set the above variables. Source it from your .profile or .bashrc to have the variables set automatically on login.
The following packages should already be installed on the target host:
Path to temporary file space. Defaults to '/tmp'.
Two character country abbreviation. Used in the server CSR. Defaults to 'US'.
State or provence name. Used in the server CSR. Defaults to 'North Carolina'.
City name. Used in the server CSR. Defaults to 'Durham'.
Organization or company name. Used in the server CSR. Defaults to 'Acme Corp'.
The host name or IP address used to access the Docker daemon. Defaults to '127.0.0.1'.
A password used to secure key files. Defauts to 'Phrase123!'.
Path where server certificates will be created. Defaults to '/etc/docker'.
Path where client certificates will be created. Defaults to '~/.docker'.
Dest directory for an optional shell script that will set the DOCKER env variables used by clients when connecting to the Docker daemon. Defaults to '~' (the user's home directory).
If true, will install a shell script named docker_env.sh that sets DOCKER env variables. Source the shell script in your .profile or .bashrc to set the variables automatically at login. Defaults to true.
Set to true, if the docker daemon should be restarted after create the certificates. Defaults to false.
Here's an example playbook that executes our role:
- name: Secure the docker daemon hosts: localhost connection: local gather_facts: no become: yes roles: - role: ansible.secure-docker-daemon dds_host: 10.0.2.15 dds_server_cert_path: /etc/default/docker dds_restart_docker: no