Skip to content
Permalink
Browse files

[debops.docker_server] Drop 'ferment' support

  • Loading branch information...
drybjed committed Aug 13, 2019
1 parent e28bc0f commit f12e80b802a520588fc8e602998fdddbada355dc
@@ -461,6 +461,17 @@ Roles removed from DebOps
the role. They are replaced by the :envvar:`keyring__keyserver` and the
corresponding local fact in the :ref:`debops.keyring` role.

:ref:`debops.docker_server` role
''''''''''''''''''''''''''''''''

- Support for `ferment`__ has been removed from DebOps due to the upstream not
being up to date anymore, both with Docker as well as with Python 3.x
support. The :command:`dockerd` daemon will be restarted on any
:command:`ferm` restarts to update the firewall configuration with Docker
rules.

.. __: https://github.com/diefans/ferment
:ref:`debops.lxc` role
''''''''''''''''''''''

@@ -179,15 +179,6 @@ docker_server__default_pip_packages:
src: '{{ docker_server__virtualenv + "/bin/docker-compose" }}'
state: '{{ "present" if docker_server__upstream|bool else "absent" }}'

- name: 'docker-py'
version: '0.5.3'
state: '{{ "present" if docker_server__ferment|bool else "absent" }}'

- name: 'ferment'
path: '/usr/local/bin/ferment'
src: '{{ docker_server__virtualenv + "/bin/ferment" }}'
state: '{{ "present" if docker_server__ferment|bool else "absent" }}'

# ]]]
# .. envvar:: docker_server__pip_packages [[[
#
@@ -478,32 +469,11 @@ docker_server__pki_key: 'default.key'

# .. envvar:: docker_server__ferm_post_hook [[[
#
# Enable or disable installation for the :program:`ferm` post hook when :program:`ferment`
# is disabled.
# Enable or disable installation for the :program:`ferm` post hook.
docker_server__ferm_post_hook: '{{ True
if (ansible_local|d() and
ansible_local.ferm|d() and
not docker_server__ferment|bool)
if (ansible_local|d() and ansible_local.ferm|d() and
(ansible_local.ferm.enabled|d())|bool)
else False }}'

# ]]]
# .. envvar:: docker_server__ferment [[[
#
# Enable or disable support for :program:`ferment` script, which can generate :program:`ferm`
# configuration with the current Docker state.
docker_server__ferment: '{{ True
if (not docker_server__upstream|bool)
else False }}'

# ]]]
# .. envvar:: docker_server__ferment_wrapper [[[
#
# Path to the :program:`ferment` wrapper script used to generate :program:`ferm` configuration.
docker_server__ferment_wrapper: '{{ (ansible_local.root.lib
if (ansible_local|d() and
ansible_local.root|d() and
ansible_local.root.lib|d())
else "/usr/local/lib") + "/docker-ferment-wrapper" }}'
# ]]]
# ]]]
# Configuration for other Ansible roles [[[
@@ -558,20 +528,16 @@ docker_server__etc_services__dependent_list:
# ]]]
# .. envvar:: docker_server__ferm__dependent_rules [[[
#
# Configuration for :ref:`debops.ferm` role which enables support for :program:`ferment`
# script and opens access to the Docker REST API in the firewall.
# Configuration for :ref:`debops.ferm` role which opens access to the Docker
# REST API in the firewall.
docker_server__ferm__dependent_rules:

# Support for ferment has been dropped from DebOps
- type: 'custom'
weight: '99'
role: 'docker'
name: 'ferment_rules'
rules: |
@def $DOCKER_FERMENT = `test -x {{ docker_server__ferment_wrapper }} && echo 1 || echo 0`;
@if $DOCKER_FERMENT {
@include '{{ docker_server__ferment_wrapper + (" " + docker_server__bridge if docker_server__bridge else "") }}|';
}
state: '{{ "present" if docker_server__ferment|bool else "absent" }}'
rule_state: 'absent'

- type: 'accept'
dport: '{{ [ docker_server__tcp_port ] + docker_server__custom_ports }}'
@@ -93,15 +93,6 @@
when: item.path|d() and item.src|d() and
item.state|d('present') != 'absent'

- name: Install ferment wrapper script
template:
src: 'usr/local/lib/docker-ferment-wrapper.j2'
dest: '{{ docker_server__ferment_wrapper }}'
owner: 'root'
group: 'root'
mode: '0755'
when: docker_server__ferment | bool

- name: Install ferm post hook
template:
src: 'etc/ferm/hooks/post.d/restart-docker.j2'

This file was deleted.

@@ -25,17 +25,9 @@ which is easily done with :envvar:`docker_server__tcp_allow`. It is recommended
to use the :ref:`debops.pki` role to secure the connection between the client
and the Docker server.

Docker manages its own network bridge and :command:`iptables` entries. On hosts
that don't use upstream Docker packages, the :program:`ferment` Python script
will be installed in a Python virtualenv to allow :program:`ferm` firewall to
reload Docker firewall rules automatically, however it does not fully support
Docker yet, so be aware of this when you modify the firewall configuration. You
can restart :command:`docker` daemon to make sure that all firewall rules are
set up correctly.

On hosts with upstream Docker enabled and :command:`ferm`, a special post-hook
On hosts with :command:`ferm` firewall support enabled, a special post-hook
script will be installed that restarts the Docker daemon after :command:`ferm`
is restarted. In this case, :command:`ferment` will not be installed.
is restarted.

The :command:`docker-compose` script will be installed on hosts with upstream
Docker, in a Python virtualenv. It will be automatically available system-wide

0 comments on commit f12e80b

Please sign in to comment.
You can’t perform that action at this time.