diff options
Diffstat (limited to 'roles/docker')
-rw-r--r-- | roles/docker/README.md | 2 | ||||
-rw-r--r-- | roles/docker/tasks/package_docker.yml | 2 | ||||
-rw-r--r-- | roles/docker/tasks/systemcontainer_docker.yml | 65 | ||||
-rw-r--r-- | roles/docker/templates/daemon.json | 60 | ||||
-rw-r--r-- | roles/docker/templates/systemcontainercustom.conf.j2 | 20 | ||||
-rw-r--r-- | roles/docker/vars/main.yml | 1 |
6 files changed, 67 insertions, 83 deletions
diff --git a/roles/docker/README.md b/roles/docker/README.md index f25ca03cd..4a9f21f22 100644 --- a/roles/docker/README.md +++ b/roles/docker/README.md @@ -3,6 +3,8 @@ Docker Ensures docker package or system container is installed, and optionally raises timeout for systemd-udevd.service to 5 minutes. +daemon.json items may be found at https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file + Requirements ------------ diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml index 10fb5772c..e101730d2 100644 --- a/roles/docker/tasks/package_docker.yml +++ b/roles/docker/tasks/package_docker.yml @@ -46,7 +46,7 @@ template: dest: "{{ docker_systemd_dir }}/custom.conf" src: custom.conf.j2 - when: not os_firewall_use_firewalld | default(True) | bool + when: not os_firewall_use_firewalld | default(False) | bool - stat: path=/etc/sysconfig/docker register: docker_check diff --git a/roles/docker/tasks/systemcontainer_docker.yml b/roles/docker/tasks/systemcontainer_docker.yml index b0d0632b0..3af3e00b2 100644 --- a/roles/docker/tasks/systemcontainer_docker.yml +++ b/roles/docker/tasks/systemcontainer_docker.yml @@ -27,27 +27,51 @@ state: present when: not openshift.common.is_atomic | bool -# If we are on atomic, set http_proxy and https_proxy in /etc/atomic.conf +# Make sure Docker is installed so we are able to use the client +- name: Install Docker so we can use the client + package: name=docker{{ '-' + docker_version if docker_version is defined else '' }} state=present + when: not openshift.common.is_atomic | bool + +# Make sure docker is disabled. Errors are ignored. +- name: Disable Docker + systemd: + name: docker + enabled: no + state: stopped + daemon_reload: yes + ignore_errors: True + +# Set http_proxy, https_proxy, and no_proxy in /etc/atomic.conf +# regexp: the line starts with or without #, followed by the string +# http_proxy, then either : or = - block: - name: Add http_proxy to /etc/atomic.conf lineinfile: - path: /etc/atomic.conf - line: "http_proxy={{ openshift.common.http_proxy | default('') }}" + dest: /etc/atomic.conf + regexp: "^#?http_proxy[:=]{1}" + line: "http_proxy: {{ openshift.common.http_proxy | default('') }}" when: - openshift.common.http_proxy is defined - openshift.common.http_proxy != '' - name: Add https_proxy to /etc/atomic.conf lineinfile: - path: /etc/atomic.conf - line: "https_proxy={{ openshift.common.https_proxy | default('') }}" + dest: /etc/atomic.conf + regexp: "^#?https_proxy[:=]{1}" + line: "https_proxy: {{ openshift.common.https_proxy | default('') }}" when: - openshift.common.https_proxy is defined - openshift.common.https_proxy != '' - when: openshift.common.is_atomic | bool - + - name: Add no_proxy to /etc/atomic.conf + lineinfile: + dest: /etc/atomic.conf + regexp: "^#?no_proxy[:=]{1}" + line: "no_proxy: {{ openshift.common.no_proxy | default('') }}" + when: + - openshift.common.no_proxy is defined + - openshift.common.no_proxy != '' - block: @@ -77,23 +101,17 @@ set_fact: l_docker_image: "{{ l_docker_image_prepend }}/{{ openshift.docker.service_name }}:latest" +# NOTE: no_proxy added as a workaround until https://github.com/projectatomic/atomic/pull/999 is released - name: Pre-pull Container Enginer System Container image command: "atomic pull --storage ostree {{ l_docker_image }}" changed_when: false + environment: + NO_PROXY: "{{ openshift.common.no_proxy | default('') }}" -# Make sure docker is disabled Errors are ignored as docker may not -# be installed. -- name: Disable Docker - systemd: - name: docker - enabled: no - state: stopped - daemon_reload: yes - ignore_errors: True -- name: Ensure docker.service.d directory exists +- name: Ensure container-engine.service.d directory exists file: - path: "{{ docker_systemd_dir }}" + path: "{{ container_engine_systemd_dir }}" state: directory - name: Ensure /etc/docker directory exists @@ -111,9 +129,18 @@ - name: Configure Container Engine Service File template: - dest: "{{ docker_systemd_dir }}/custom.conf" + dest: "{{ container_engine_systemd_dir }}/custom.conf" src: systemcontainercustom.conf.j2 +# Set local versions of facts that must be in json format for daemon.json +# NOTE: When jinja2.9+ is used the daemon.json file can move to using tojson +- set_fact: + l_docker_insecure_registries: "{{ docker_insecure_registries | default([]) | to_json }}" + l_docker_log_options: "{{ docker_log_options | default({}) | to_json }}" + l_docker_additional_registries: "{{ docker_additional_registries | default([]) | to_json }}" + l_docker_blocked_registries: "{{ docker_blocked_registries | default([]) | to_json }}" + l_docker_selinux_enabled: "{{ docker_selinux_enabled | default(true) | to_json }}" + # Configure container-engine using the daemon.json file - name: Configure Container Engine template: diff --git a/roles/docker/templates/daemon.json b/roles/docker/templates/daemon.json index 30a1b30f4..a41b7cdbd 100644 --- a/roles/docker/templates/daemon.json +++ b/roles/docker/templates/daemon.json @@ -1,66 +1,20 @@ - { - "api-cors-header": "", "authorization-plugins": ["rhel-push-plugin"], - "bip": "", - "bridge": "", - "cgroup-parent": "", - "cluster-store": "", - "cluster-store-opts": {}, - "cluster-advertise": "", - "debug": true, - "default-gateway": "", - "default-gateway-v6": "", "default-runtime": "oci", - "containerd": "/var/run/containerd.sock", - "default-ulimits": {}, + "containerd": "/run/containerd.sock", "disable-legacy-registry": false, - "dns": [], - "dns-opts": [], - "dns-search": [], "exec-opts": ["native.cgroupdriver=systemd"], - "exec-root": "", - "fixed-cidr": "", - "fixed-cidr-v6": "", - "graph": "", - "group": "", - "hosts": [], - "icc": false, - "insecure-registries": {{ docker_insecure_registries|default([]) }}, - "ip": "0.0.0.0", - "iptables": false, - "ipv6": false, - "ip-forward": false, - "ip-masq": false, - "labels": [], - "live-restore": true, + "insecure-registries": {{ l_docker_insecure_registries }}, {% if docker_log_driver is defined %} "log-driver": "{{ docker_log_driver }}", -{% endif %} - "log-level": "", - "log-opts": {{ docker_log_options|default({}) }}, - "max-concurrent-downloads": 3, - "max-concurrent-uploads": 5, - "mtu": 0, - "oom-score-adjust": -500, - "pidfile": "", - "raw-logs": false, - "registry-mirrors": [], +{%- endif %} + "log-opts": {{ l_docker_log_options }}, "runtimes": { "oci": { "path": "/usr/libexec/docker/docker-runc-current" } }, - "selinux-enabled": {{ docker_selinux_enabled|default(true) }}, - "storage-driver": "", - "storage-opts": [], - "tls": true, - "tlscacert": "", - "tlscert": "", - "tlskey": "", - "tlsverify": true, - "userns-remap": "", - "add-registry": {{ docker_additional_registries|default([]) }}, - "blocked-registries": {{ docker_blocked_registries|default([]) }}, - "userland-proxy-path": "/usr/libexec/docker/docker-proxy-current" + "selinux-enabled": {{ l_docker_selinux_enabled | lower }}, + "add-registry": {{ l_docker_additional_registries }}, + "block-registry": {{ l_docker_blocked_registries }} } diff --git a/roles/docker/templates/systemcontainercustom.conf.j2 b/roles/docker/templates/systemcontainercustom.conf.j2 index a4fb01d2b..86eebfba6 100644 --- a/roles/docker/templates/systemcontainercustom.conf.j2 +++ b/roles/docker/templates/systemcontainercustom.conf.j2 @@ -1,16 +1,16 @@ # {{ ansible_managed }} [Service] -{%- if "http_proxy" in openshift.common %} -ENVIRONMENT=HTTP_PROXY={{ docker_http_proxy }} -{%- endif -%} -{%- if "https_proxy" in openshift.common %} -ENVIRONMENT=HTTPS_PROXY={{ docker_http_proxy }} -{%- endif -%} -{%- if "no_proxy" in openshift.common %} -ENVIRONMENT=NO_PROXY={{ docker_no_proxy }} -{%- endif %} -{%- if os_firewall_use_firewalld|default(true) %} +{% if "http_proxy" in openshift.common %} +Environment=HTTP_PROXY={{ docker_http_proxy }} +{% endif -%} +{% if "https_proxy" in openshift.common %} +Environment=HTTPS_PROXY={{ docker_http_proxy }} +{% endif -%} +{% if "no_proxy" in openshift.common %} +Environment=NO_PROXY={{ docker_no_proxy }} +{% endif %} +{%- if os_firewall_use_firewalld|default(false) %} [Unit] Wants=iptables.service After=iptables.service diff --git a/roles/docker/vars/main.yml b/roles/docker/vars/main.yml index 0082ded1e..4e940b7f5 100644 --- a/roles/docker/vars/main.yml +++ b/roles/docker/vars/main.yml @@ -1,4 +1,5 @@ --- docker_systemd_dir: /etc/systemd/system/docker.service.d +container_engine_systemd_dir: /etc/systemd/system/container-engine.service.d docker_conf_dir: /etc/docker/ udevw_udevd_dir: /etc/systemd/system/systemd-udevd.service.d |