summaryrefslogtreecommitdiffstats
path: root/roles/docker
diff options
context:
space:
mode:
Diffstat (limited to 'roles/docker')
-rw-r--r--roles/docker/README.md2
-rw-r--r--roles/docker/tasks/package_docker.yml2
-rw-r--r--roles/docker/tasks/systemcontainer_docker.yml65
-rw-r--r--roles/docker/templates/daemon.json60
-rw-r--r--roles/docker/templates/systemcontainercustom.conf.j220
-rw-r--r--roles/docker/vars/main.yml1
6 files changed, 67 insertions, 83 deletions
diff --git a/roles/docker/README.md b/roles/docker/README.md
index f25ca03cd..4a9f21f22 100644
--- a/roles/docker/README.md
+++ b/roles/docker/README.md
@@ -3,6 +3,8 @@ Docker
Ensures docker package or system container is installed, and optionally raises timeout for systemd-udevd.service to 5 minutes.
+daemon.json items may be found at https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file
+
Requirements
------------
diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml
index 10fb5772c..e101730d2 100644
--- a/roles/docker/tasks/package_docker.yml
+++ b/roles/docker/tasks/package_docker.yml
@@ -46,7 +46,7 @@
template:
dest: "{{ docker_systemd_dir }}/custom.conf"
src: custom.conf.j2
- when: not os_firewall_use_firewalld | default(True) | bool
+ when: not os_firewall_use_firewalld | default(False) | bool
- stat: path=/etc/sysconfig/docker
register: docker_check
diff --git a/roles/docker/tasks/systemcontainer_docker.yml b/roles/docker/tasks/systemcontainer_docker.yml
index b0d0632b0..3af3e00b2 100644
--- a/roles/docker/tasks/systemcontainer_docker.yml
+++ b/roles/docker/tasks/systemcontainer_docker.yml
@@ -27,27 +27,51 @@
state: present
when: not openshift.common.is_atomic | bool
-# If we are on atomic, set http_proxy and https_proxy in /etc/atomic.conf
+# Make sure Docker is installed so we are able to use the client
+- name: Install Docker so we can use the client
+ package: name=docker{{ '-' + docker_version if docker_version is defined else '' }} state=present
+ when: not openshift.common.is_atomic | bool
+
+# Make sure docker is disabled. Errors are ignored.
+- name: Disable Docker
+ systemd:
+ name: docker
+ enabled: no
+ state: stopped
+ daemon_reload: yes
+ ignore_errors: True
+
+# Set http_proxy, https_proxy, and no_proxy in /etc/atomic.conf
+# regexp: the line starts with or without #, followed by the string
+# http_proxy, then either : or =
- block:
- name: Add http_proxy to /etc/atomic.conf
lineinfile:
- path: /etc/atomic.conf
- line: "http_proxy={{ openshift.common.http_proxy | default('') }}"
+ dest: /etc/atomic.conf
+ regexp: "^#?http_proxy[:=]{1}"
+ line: "http_proxy: {{ openshift.common.http_proxy | default('') }}"
when:
- openshift.common.http_proxy is defined
- openshift.common.http_proxy != ''
- name: Add https_proxy to /etc/atomic.conf
lineinfile:
- path: /etc/atomic.conf
- line: "https_proxy={{ openshift.common.https_proxy | default('') }}"
+ dest: /etc/atomic.conf
+ regexp: "^#?https_proxy[:=]{1}"
+ line: "https_proxy: {{ openshift.common.https_proxy | default('') }}"
when:
- openshift.common.https_proxy is defined
- openshift.common.https_proxy != ''
- when: openshift.common.is_atomic | bool
-
+ - name: Add no_proxy to /etc/atomic.conf
+ lineinfile:
+ dest: /etc/atomic.conf
+ regexp: "^#?no_proxy[:=]{1}"
+ line: "no_proxy: {{ openshift.common.no_proxy | default('') }}"
+ when:
+ - openshift.common.no_proxy is defined
+ - openshift.common.no_proxy != ''
- block:
@@ -77,23 +101,17 @@
set_fact:
l_docker_image: "{{ l_docker_image_prepend }}/{{ openshift.docker.service_name }}:latest"
+# NOTE: no_proxy added as a workaround until https://github.com/projectatomic/atomic/pull/999 is released
- name: Pre-pull Container Enginer System Container image
command: "atomic pull --storage ostree {{ l_docker_image }}"
changed_when: false
+ environment:
+ NO_PROXY: "{{ openshift.common.no_proxy | default('') }}"
-# Make sure docker is disabled Errors are ignored as docker may not
-# be installed.
-- name: Disable Docker
- systemd:
- name: docker
- enabled: no
- state: stopped
- daemon_reload: yes
- ignore_errors: True
-- name: Ensure docker.service.d directory exists
+- name: Ensure container-engine.service.d directory exists
file:
- path: "{{ docker_systemd_dir }}"
+ path: "{{ container_engine_systemd_dir }}"
state: directory
- name: Ensure /etc/docker directory exists
@@ -111,9 +129,18 @@
- name: Configure Container Engine Service File
template:
- dest: "{{ docker_systemd_dir }}/custom.conf"
+ dest: "{{ container_engine_systemd_dir }}/custom.conf"
src: systemcontainercustom.conf.j2
+# Set local versions of facts that must be in json format for daemon.json
+# NOTE: When jinja2.9+ is used the daemon.json file can move to using tojson
+- set_fact:
+ l_docker_insecure_registries: "{{ docker_insecure_registries | default([]) | to_json }}"
+ l_docker_log_options: "{{ docker_log_options | default({}) | to_json }}"
+ l_docker_additional_registries: "{{ docker_additional_registries | default([]) | to_json }}"
+ l_docker_blocked_registries: "{{ docker_blocked_registries | default([]) | to_json }}"
+ l_docker_selinux_enabled: "{{ docker_selinux_enabled | default(true) | to_json }}"
+
# Configure container-engine using the daemon.json file
- name: Configure Container Engine
template:
diff --git a/roles/docker/templates/daemon.json b/roles/docker/templates/daemon.json
index 30a1b30f4..a41b7cdbd 100644
--- a/roles/docker/templates/daemon.json
+++ b/roles/docker/templates/daemon.json
@@ -1,66 +1,20 @@
-
{
- "api-cors-header": "",
"authorization-plugins": ["rhel-push-plugin"],
- "bip": "",
- "bridge": "",
- "cgroup-parent": "",
- "cluster-store": "",
- "cluster-store-opts": {},
- "cluster-advertise": "",
- "debug": true,
- "default-gateway": "",
- "default-gateway-v6": "",
"default-runtime": "oci",
- "containerd": "/var/run/containerd.sock",
- "default-ulimits": {},
+ "containerd": "/run/containerd.sock",
"disable-legacy-registry": false,
- "dns": [],
- "dns-opts": [],
- "dns-search": [],
"exec-opts": ["native.cgroupdriver=systemd"],
- "exec-root": "",
- "fixed-cidr": "",
- "fixed-cidr-v6": "",
- "graph": "",
- "group": "",
- "hosts": [],
- "icc": false,
- "insecure-registries": {{ docker_insecure_registries|default([]) }},
- "ip": "0.0.0.0",
- "iptables": false,
- "ipv6": false,
- "ip-forward": false,
- "ip-masq": false,
- "labels": [],
- "live-restore": true,
+ "insecure-registries": {{ l_docker_insecure_registries }},
{% if docker_log_driver is defined %}
"log-driver": "{{ docker_log_driver }}",
-{% endif %}
- "log-level": "",
- "log-opts": {{ docker_log_options|default({}) }},
- "max-concurrent-downloads": 3,
- "max-concurrent-uploads": 5,
- "mtu": 0,
- "oom-score-adjust": -500,
- "pidfile": "",
- "raw-logs": false,
- "registry-mirrors": [],
+{%- endif %}
+ "log-opts": {{ l_docker_log_options }},
"runtimes": {
"oci": {
"path": "/usr/libexec/docker/docker-runc-current"
}
},
- "selinux-enabled": {{ docker_selinux_enabled|default(true) }},
- "storage-driver": "",
- "storage-opts": [],
- "tls": true,
- "tlscacert": "",
- "tlscert": "",
- "tlskey": "",
- "tlsverify": true,
- "userns-remap": "",
- "add-registry": {{ docker_additional_registries|default([]) }},
- "blocked-registries": {{ docker_blocked_registries|default([]) }},
- "userland-proxy-path": "/usr/libexec/docker/docker-proxy-current"
+ "selinux-enabled": {{ l_docker_selinux_enabled | lower }},
+ "add-registry": {{ l_docker_additional_registries }},
+ "block-registry": {{ l_docker_blocked_registries }}
}
diff --git a/roles/docker/templates/systemcontainercustom.conf.j2 b/roles/docker/templates/systemcontainercustom.conf.j2
index a4fb01d2b..86eebfba6 100644
--- a/roles/docker/templates/systemcontainercustom.conf.j2
+++ b/roles/docker/templates/systemcontainercustom.conf.j2
@@ -1,16 +1,16 @@
# {{ ansible_managed }}
[Service]
-{%- if "http_proxy" in openshift.common %}
-ENVIRONMENT=HTTP_PROXY={{ docker_http_proxy }}
-{%- endif -%}
-{%- if "https_proxy" in openshift.common %}
-ENVIRONMENT=HTTPS_PROXY={{ docker_http_proxy }}
-{%- endif -%}
-{%- if "no_proxy" in openshift.common %}
-ENVIRONMENT=NO_PROXY={{ docker_no_proxy }}
-{%- endif %}
-{%- if os_firewall_use_firewalld|default(true) %}
+{% if "http_proxy" in openshift.common %}
+Environment=HTTP_PROXY={{ docker_http_proxy }}
+{% endif -%}
+{% if "https_proxy" in openshift.common %}
+Environment=HTTPS_PROXY={{ docker_http_proxy }}
+{% endif -%}
+{% if "no_proxy" in openshift.common %}
+Environment=NO_PROXY={{ docker_no_proxy }}
+{% endif %}
+{%- if os_firewall_use_firewalld|default(false) %}
[Unit]
Wants=iptables.service
After=iptables.service
diff --git a/roles/docker/vars/main.yml b/roles/docker/vars/main.yml
index 0082ded1e..4e940b7f5 100644
--- a/roles/docker/vars/main.yml
+++ b/roles/docker/vars/main.yml
@@ -1,4 +1,5 @@
---
docker_systemd_dir: /etc/systemd/system/docker.service.d
+container_engine_systemd_dir: /etc/systemd/system/container-engine.service.d
docker_conf_dir: /etc/docker/
udevw_udevd_dir: /etc/systemd/system/systemd-udevd.service.d