Merge pull request #17 from wireapp/docker2

Migrate from rkt to docker

defaults/main.yml

@@ -1,18 +1,10 @@
 ---
-rkt_version: 1.30.0
-rkt_fly_version: 1.30.0
-node_exporter_version: v0.17.0
-
-versions:
-  restund: 0.4.14w7b1.0.47
-  nginx:   1.15.12-alpine
-  rex:     0.2.2b1.0.6
-  process_exporter: 0.4.0
-
-restund_user: restund
+restund_version: 0.4.14w7b1.0.47
+restund_user: restund # This also create the same group
 restund_udp_listen_port: 3478
 restund_tcp_listen_port: 3478
 restund_tls_listen_port: 5349
+restund_uid: 997
 restund_udp_status_port: 33000
 restund_http_status_port: 8080
 restund_metrics_listen_port: 8443
@@ -43,3 +35,6 @@ restund_metrics_enabled: false
 # FUTUREWORK: ease the process of using client certificates,
 # and only enable the client cert block if a CA cert is present.
 restund_metrics_client_certificates_enabled: false
+
+docker_ubuntu_repo_base_url: "https://download.docker.com/linux/ubuntu"
+docker_ubuntu_repo_gpgkey: 'https://download.docker.com/linux/ubuntu/gpg'

handlers/main.yml

@@ -2,14 +2,5 @@
 - name: systemctl daemon-reload
   command: systemctl daemon-reload
 
-- name: reload sshd
-  service: name=sshd state=reloaded
-
-- name: rkt gc
-  command: rkt gc
-
-- name: rkt image gc
-  command: rkt image gc
-
 - name: reload journald
   command: systemctl force-reload systemd-journald

tasks/main.yml

@@ -10,5 +10,4 @@
 
 - import_tasks: setup.yml
 - import_tasks: system.yml
-- import_tasks: rkt.yml
 - import_tasks: restund.yml

tasks/restund.yml

@@ -4,39 +4,32 @@
     name: "{{ restund_user }}"
     state: present
     system: true
+  when: restund_user != 'root'
   tags:
     - restund
-  when: restund_user != 'root'
 
 - name: add {{ restund_user }} user
   user:
     name: "{{ restund_user }}"
     shell: "/bin/false"
+    uid: "{{ restund_uid }}"
     group: "{{ restund_user }}"
     system: true
     createhome: false
   when: restund_user != 'root'
   tags:
     - restund
 
-- name: create /etc/restund and /opt/restund
+- name: create /etc/restund
   file:
-    path:  "{{ item }}"
+    path: /etc/restund
     state: directory
     mode:  0755
     owner: "{{ restund_user }}"
     group: "{{ restund_user }}"
-  with_items:
-    - /etc/restund
-    - /opt/restund
   tags:
     - restund
 
-- name: Download restund aci file
-  get_url:
-    url: "{{ aci_base_url }}/restund/restund-{{ versions.restund }}_linux_amd64.aci"
-    dest: "/opt/restund/restund-{{ versions.restund }}_linux_amd64.aci"
-
 - name: install restund tls certificate
   copy:
     dest:    /etc/restund/restund.pem
@@ -61,14 +54,13 @@
 - name: install restund unit file
   template:
     src:   templates/restund.service.j2
-    dest:  /lib/systemd/system/restund.service
+    dest:  /etc/systemd/system/restund.service
     mode:  0644
     owner: root
     group: root
   notify:
     # - restart restund # NOTE: Restarting restund should be done _manually_
-    - rkt gc
-    - rkt image gc
+    - systemctl daemon-reload
   tags:
     - restund
 

tasks/setup.yml

@@ -1,42 +1,22 @@
 ---
-- name: Ensure apt cache is updated
-  apt:
+- name: Ensure docker key is present
+  apt_key:
+    url: "{{ docker_ubuntu_repo_gpgkey }}"
+  tags:
+    - docker
+
+- name: Ensure docker repository is present
+  apt_repository:
+    repo:
+      "deb {{ docker_ubuntu_repo_base_url }} {{ ansible_distribution_release }} stable"
     update_cache: true
-  changed_when: false
-  when: ansible_os_family == 'Debian'
+  tags:
+    - docker
 
-- name: install needed packages
+- name: install docker
   apt:
     name:
-      - ca-certificates
-      - curl
-      - gnupg2
-      - htop
-      - ltrace
-      - nload
-      - strace
-      - systemd-container
-      - tmux
-      - unattended-upgrades
-      - python-openssl
-      - dnsutils
-      - iproute2
+      - docker-ce
     state: latest
-  when: ansible_os_family == 'Debian'
-
-- name: populate 'ansible_default_ipv4'
-  setup:
-  when: ansible_default_ipv4 is not defined
-
-- name: Check if inside AWS.
-  uri:
-    url: http://169.254.169.254/latest/meta-data
-    timeout: 2
-  register: aws_uri_check
-  when: is_aws_environment is not defined
-  failed_when: false
-
-- name: set is_aws_environment
-  set_fact:
-    is_aws_environment: "{{ aws_uri_check.status == 200 }}"
-  when: is_aws_environment is not defined
+  tags:
+    - docker

templates/restund.service.j2

@@ -2,23 +2,22 @@
 Description=restund
 Requires=network-online.target
 After=network-online.target
+After=docker.service
+Requires=docker.service
 
-# TODO: Avoid using insecure-options=image!
 [Service]
-Slice=machine.slice
-LimitNOFILE=50000
-ExecStart=/usr/bin/rkt run \
-    --insecure-options=image \
-    --net=host \
-    --dns=host \
-    --hosts-entry=host \
-    --volume volume-usr-local-etc-restund,kind=host,source=/etc/restund,readOnly=true \
-    /opt/restund/restund-{{ versions.restund }}_linux_amd64.aci \
-    --user={{ restund_user }} \
-    --group={{ restund_user }}
-ExecStopPost=/usr/bin/rkt gc --mark-only
-KillMode=mixed
-Restart=always
+TimeoutStartSec=0
+ExecStartPre=-/usr/bin/docker kill restund
+ExecStartPre=-/usr/bin/docker rm restund
+ExecStart=/usr/bin/docker run \
+  --ulimit nofile=90000:90000 \
+  --network=host \
+  --name restund \
+  --cap-add=NET_BIND_SERVICE \
+  --sysctl net.ipv4.ip_unprivileged_port_start=0 \
+  --user {{ restund_uid }}:{{ restund_user }} \
+  --volume /etc/restund:/usr/local/etc/restund:ro \
+  quay.io/wire/restund:{{ restund_version }}
 
 [Install]
 WantedBy=multi-user.target