Skip to content
Permalink
Browse files

Merge branch 'drybjed-docker_server-updates'

  • Loading branch information...
drybjed committed Aug 13, 2019
2 parents 1c078f9 + 3bbcb50 commit a08b4874d255e550578a8050314a124e74197077
@@ -252,6 +252,14 @@ User management
- The Docker server no longer listens on a TCP port by default, even if
:ref:`debops.pki` is enabled.

- The default storage driver used by the :ref:`debops.docker_server` has been
changed to ``overlay2`` which is the default in upstream. The role checks the
currently enabled storage driver via Ansible local facts, and should preserve
the current configuration on existing installations.

If needed, the storage driver in use can be overridden via the
:envvar:`docker_server__storage_driver` variable.

:ref:`debops.etckeeper` role
''''''''''''''''''''''''''''

@@ -453,6 +461,17 @@ Roles removed from DebOps
the role. They are replaced by the :envvar:`keyring__keyserver` and the
corresponding local fact in the :ref:`debops.keyring` role.

:ref:`debops.docker_server` role
''''''''''''''''''''''''''''''''

- Support for `ferment`__ has been removed from DebOps due to the upstream not
being up to date anymore, both with Docker as well as with Python 3.x
support. The :command:`dockerd` daemon will be restarted on any
:command:`ferm` restarts to update the firewall configuration with Docker
rules.

.. __: https://github.com/diefans/ferment
:ref:`debops.lxc` role
''''''''''''''''''''''

@@ -1,6 +1,6 @@
debops.docker_server - Manage Docker server using Ansible

Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
Copyright (C) 2019 Imre Jonk <mail@imrejonk.nl>
Copyright (C) 2015-2019 DebOps https://debops.org/

@@ -179,15 +179,6 @@ docker_server__default_pip_packages:
src: '{{ docker_server__virtualenv + "/bin/docker-compose" }}'
state: '{{ "present" if docker_server__upstream|bool else "absent" }}'

- name: 'docker-py'
version: '0.5.3'
state: '{{ "present" if docker_server__ferment|bool else "absent" }}'

- name: 'ferment'
path: '/usr/local/bin/ferment'
src: '{{ docker_server__virtualenv + "/bin/ferment" }}'
state: '{{ "present" if docker_server__ferment|bool else "absent" }}'

# ]]]
# .. envvar:: docker_server__pip_packages [[[
#
@@ -386,9 +377,12 @@ docker_server__registry_mirrors: []
# .. envvar:: docker_server__storage_driver [[[
#
# Storage driver for docker volumes.
docker_server__storage_driver: '{{ "aufs"
if (ansible_distribution_release in ["wheezy", "jessie" ])
else "overlay" }}'
docker_server__storage_driver: '{{ ansible_local.docker_server.storage_driver
if (ansible_local|d() and ansible_local.docker_server|d() and
ansible_local.docker_server.storage_driver|d())
else ("aufs"
if (ansible_distribution_release in ["wheezy", "jessie" ])
else "overlay2") }}'

# ]]]
# .. envvar:: docker_server__storage_options [[[
@@ -475,32 +469,11 @@ docker_server__pki_key: 'default.key'

# .. envvar:: docker_server__ferm_post_hook [[[
#
# Enable or disable installation for the :program:`ferm` post hook when :program:`ferment`
# is disabled.
# Enable or disable installation for the :program:`ferm` post hook.
docker_server__ferm_post_hook: '{{ True
if (ansible_local|d() and
ansible_local.ferm|d() and
not docker_server__ferment|bool)
if (ansible_local|d() and ansible_local.ferm|d() and
(ansible_local.ferm.enabled|d())|bool)
else False }}'

# ]]]
# .. envvar:: docker_server__ferment [[[
#
# Enable or disable support for :program:`ferment` script, which can generate :program:`ferm`
# configuration with the current Docker state.
docker_server__ferment: '{{ True
if (not docker_server__upstream|bool)
else False }}'

# ]]]
# .. envvar:: docker_server__ferment_wrapper [[[
#
# Path to the :program:`ferment` wrapper script used to generate :program:`ferm` configuration.
docker_server__ferment_wrapper: '{{ (ansible_local.root.lib
if (ansible_local|d() and
ansible_local.root|d() and
ansible_local.root.lib|d())
else "/usr/local/lib") + "/docker-ferment-wrapper" }}'
# ]]]
# ]]]
# Configuration for other Ansible roles [[[
@@ -555,20 +528,16 @@ docker_server__etc_services__dependent_list:
# ]]]
# .. envvar:: docker_server__ferm__dependent_rules [[[
#
# Configuration for :ref:`debops.ferm` role which enables support for :program:`ferment`
# script and opens access to the Docker REST API in the firewall.
# Configuration for :ref:`debops.ferm` role which opens access to the Docker
# REST API in the firewall.
docker_server__ferm__dependent_rules:

# Support for ferment has been dropped from DebOps
- type: 'custom'
weight: '99'
role: 'docker'
name: 'ferment_rules'
rules: |
@def $DOCKER_FERMENT = `test -x {{ docker_server__ferment_wrapper }} && echo 1 || echo 0`;
@if $DOCKER_FERMENT {
@include '{{ docker_server__ferment_wrapper + (" " + docker_server__bridge if docker_server__bridge else "") }}|';
}
state: '{{ "present" if docker_server__ferment|bool else "absent" }}'
rule_state: 'absent'

- type: 'accept'
dport: '{{ [ docker_server__tcp_port ] + docker_server__custom_ports }}'
@@ -93,15 +93,6 @@
when: item.path|d() and item.src|d() and
item.state|d('present') != 'absent'

- name: Install ferment wrapper script
template:
src: 'usr/local/lib/docker-ferment-wrapper.j2'
dest: '{{ docker_server__ferment_wrapper }}'
owner: 'root'
group: 'root'
mode: '0755'
when: docker_server__ferment | bool

- name: Install ferm post hook
template:
src: 'etc/ferm/hooks/post.d/restart-docker.j2'
@@ -3,13 +3,14 @@
# {{ ansible_managed }}

from __future__ import print_function
from json import loads, dumps
from json import load, loads, dumps
from sys import exit
import subprocess
import os
import re

docker_pkg = loads('''{{ docker_server__packagename | to_nice_json }}''')
daemon_json = '/etc/docker/daemon.json'


def cmd_exists(cmd):
@@ -32,7 +33,7 @@ output = {'installed': cmd_exists('docker')}
try:
version_stdout = subprocess.check_output(
["dpkg-query", "-W", "-f=${Version}\n'", docker_pkg]
).split('+')[0]
).decode('utf-8').split('+')[0]

match = re.search(r'^(?:[^:]:)?(?P<docker_version>[^~]+)', version_stdout)
if match:
@@ -46,4 +47,13 @@ try:
except Exception:
pass

print(dumps(output, sort_keys=True, indent=2))
if os.path.exists(daemon_json) and os.path.isfile(daemon_json):
try:
with open(daemon_json, 'r') as f:
daemon_config = load(f)
output['storage_driver'] = daemon_config['storage-driver']

except Exception:
pass

print(dumps(output, sort_keys=True, indent=4))

This file was deleted.

This file was deleted.

@@ -25,17 +25,9 @@ which is easily done with :envvar:`docker_server__tcp_allow`. It is recommended
to use the :ref:`debops.pki` role to secure the connection between the client
and the Docker server.

Docker manages its own network bridge and :command:`iptables` entries. On hosts
that don't use upstream Docker packages, the :program:`ferment` Python script
will be installed in a Python virtualenv to allow :program:`ferm` firewall to
reload Docker firewall rules automatically, however it does not fully support
Docker yet, so be aware of this when you modify the firewall configuration. You
can restart :command:`docker` daemon to make sure that all firewall rules are
set up correctly.

On hosts with upstream Docker enabled and :command:`ferm`, a special post-hook
On hosts with :command:`ferm` firewall support enabled, a special post-hook
script will be installed that restarts the Docker daemon after :command:`ferm`
is restarted. In this case, :command:`ferment` will not be installed.
is restarted.

The :command:`docker-compose` script will be installed on hosts with upstream
Docker, in a Python virtualenv. It will be automatically available system-wide
@@ -49,11 +41,12 @@ This role does not support switching from Docker CE to Docker EE on an already
installed machine. It does support switching from distribution repository to
upstream. However, it is recommended to start with a clean machine if possible.

``debops.docker_server`` relies on configuration managed by :ref:`debops.core`,
:ref:`debops.ferm`, and :ref:`debops.pki` Ansible roles.
The :ref:`debops.docker_server` role relies on configuration managed by
:ref:`debops.core`, :ref:`debops.ferm`, and :ref:`debops.pki` Ansible roles.

.. _Docker variants: https://docs.docker.com/install/overview/


Useful variables
----------------

@@ -70,6 +63,7 @@ Ansible inventory to customize Docker:
:envvar:`docker_server__admins`
List of UNIX accounts that have access to Docker daemon socket.


Example inventory
-----------------

@@ -81,6 +75,7 @@ To configure Docker on a given remote host, it needs to be added to the
[debops_service_docker_server]
hostname


Example playbook
----------------

@@ -89,6 +84,7 @@ Here's an example playbook that can be used to manage Docker:
.. literalinclude:: ../../../../ansible/playbooks/service/docker_server.yml
:language: yaml


Ansible tags
------------

@@ -108,3 +104,34 @@ Available role tags:

``role::docker_server:admins``
Manage access to Docker daemon by UNIX accounts.


Other resources
---------------

List of other useful resources related to the ``debops.docker_server`` Ansible
role:

- Manual pages: :man:`docker(1)`, :man:`docker-run(1)`, :man:`Dockerfile(5)`,
:man:`docker-compose(1)`

- `Docker`__ page on Debian Wiki

.. __: https://wiki.debian.org/Docker
- `Docker`__ page on Arch Linux Wiki

.. __: https://wiki.archlinux.org/index.php/Docker
- `Docker documentation page`__

.. __: https://docs.docker.com/
- `Docker guide for Ansible`__

.. __: https://docs.ansible.com/ansible/latest/scenario_guides/guide_docker.html
- Official DebOps image in the Docker Hub: `debops/debops`__ (see also
:ref:`quick_start__docker`)

.. __: https://hub.docker.com/r/debops/debops
@@ -3,16 +3,28 @@
debops.docker_server
====================

`Docker`_ is a lightweight virtualization platform based on Linux kernel
features that allow creation and management of isolated application
environments.

.. _Docker: https://docker.com/

The ``debops.docker_server`` role can be used to install and configure Docker
service on Debian/Ubuntu hosts. To role supports installation of Docker from OS
distribution repositories, as well as from the upstream repository.

.. toctree::
:maxdepth: 2

introduction
getting-started
defaults/main
defaults-detailed
docker-virtualenv
copyright
upgrade

Copyright
---------

.. literalinclude:: ../../../../ansible/roles/debops.docker_server/COPYRIGHT

..
Local Variables:

This file was deleted.

This file was deleted.

0 comments on commit a08b487

Please sign in to comment.
You can’t perform that action at this time.