From 8c7732b555b7ddd01b411ce139be87259510473f Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Sat, 18 Feb 2023 15:14:39 +0100 Subject: [PATCH] refactor: migrate to docker ce (#4) --- defaults/main.yml | 32 +++++++------ tasks/config.yml | 45 +++++++++++-------- tasks/install.yml | 18 ++++++++ templates/etc/containers/registries.conf.j2 | 27 ----------- .../etc/sysconfig/docker-storage-setup.j2 | 10 ----- templates/etc/sysconfig/docker.j2 | 30 +------------ .../system/docker.service.d/override.conf.j2 | 6 +++ 7 files changed, 67 insertions(+), 101 deletions(-) delete mode 100644 templates/etc/containers/registries.conf.j2 delete mode 100644 templates/etc/sysconfig/docker-storage-setup.j2 create mode 100644 templates/etc/systemd/system/docker.service.d/override.conf.j2 diff --git a/defaults/main.yml b/defaults/main.yml index 0ad00c7..806194e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,10 @@ --- dockerengine_packages: - - docker + - docker-ce + - docker-ce-cli + - containerd.io + - docker-buildx-plugin + - docker-compose-plugin # @var dockerengine_packages_extra:description: > # The role requires epel repository and pip to work. You can use @@ -11,9 +15,6 @@ dockerengine_packages_extra: [] dockerengine_service: docker dockerengine_docker_group_enabled: False -dockerengine_secure_registries: [] -dockerengine_insecure_registries: [] -dockerengine_block_registries: [] # @var dockerengine_registries:description: List of docker registries to auto login # @var dockerengine_registries:example: > @@ -30,24 +31,21 @@ dockerengine_registries: [] # @var dockerengine_https_proxy: $ "_unset" # @var dockerengine_no_proxy: $ "_unset_" -# @var dockerengine_storage_pvs: $ "_unset_" -# @var dockerengine_storage_pvs:example: $ "/dev/sda" -dockerengine_storage_vg: vg_docker -dockerengine_storage_lv: lv_docker -dockerengine_storage_size: 100G -dockerengine_base_dir: /var/lib/docker - -dockerengine_cli_options: - - selinux-enabled - - log-driver=journald - - log-level=info - - signature-verification=false - dockerengine_usernamespace_enabled: False dockerengine_nsremap_user: dockremap dockerengine_nsremap_range_start: 231072 dockerengine_nsremap_range_length: 65536 +dockerengine_daemon_config: + - selinux-enabled: False + - log-driver: journald + - log-level: info + - live-restore: True + +dockerengine_daemon_config_extra: [] +# dockerengine_daemon_config_extra: +# - userns-remap: "{{ dockerengine_nsremap_user +':' + dockerengine_nsremap_user }}" + # @var dockerengine_networks:description: List of additional docker networks to create. # @var dockerengine_networks:example: > # dockerengine_networks: diff --git a/tasks/config.yml b/tasks/config.yml index a0fa771..0dd8b5d 100644 --- a/tasks/config.yml +++ b/tasks/config.yml @@ -7,24 +7,6 @@ notify: __docker_restart when: dockerengine_docker_group_enabled | bool - - name: Deploy config files to setup environment - template: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - owner: root - group: root - mode: 0644 - loop: - - src: "etc/sysconfig/docker.j2" - dest: "/etc/sysconfig/{{ dockerengine_service }}" - - src: "etc/sysconfig/docker-storage-setup.j2" - dest: "/etc/sysconfig/{{ dockerengine_service }}-storage-setup" - - src: "etc/containers/registries.conf.j2" - dest: "/etc/containers/registries.conf" - loop_control: - label: "{{ item.dest }}" - notify: __docker_restart - - name: Add namespace group group: name: "{{ dockerengine_nsremap_user }}" @@ -54,6 +36,33 @@ - /etc/subuid - /etc/subgid + - name: Create required directories + loop: + - name: /etc/systemd/system/docker.service.d + mode: "0755" + - name: /etc/docker + mode: "0755" + loop_control: + label: "{{ item.name }}" + file: + path: "{{ item.name }}" + state: directory + mode: "{{ item.mode }}" + + - name: Write service override.conf + template: + src: etc/systemd/system/docker.service.d/override.conf.j2 + dest: /etc/systemd/system/docker.service.d/override.conf + mode: 0644 + notify: __docker_restart + + - name: Deploy daemon config + copy: + content: "{{ (dockerengine_daemon_config | combine(dockerengine_daemon_config_extra)) | to_nice_json }}" + dest: /etc/docker/daemon.json + mode: 0600 + notify: __docker_restart + - name: Ensure docker engine is up and running service: name: "{{ dockerengine_service }}" diff --git a/tasks/install.yml b/tasks/install.yml index 641f4bc..754e720 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -1,5 +1,15 @@ --- - block: + - name: Add Docker CE repository + yum_repository: + name: "docker-ce" + file: "Docker-CE" + description: "Docker CE Stable" + baseurl: "https://download.docker.com/linux/centos/{{ ansible_distribution_major_version }}/{{ ansible_architecture }}/stable" + gpgcheck: yes + enabled: yes + gpgkey: "https://download.docker.com/linux/rhel/gpg" + - name: Install dependencies package: name: "{{ item }}" @@ -20,6 +30,14 @@ group: root mode: 0755 + - name: Ensure to remove old docker packages + package: + name: + - docker + - docker-common + - docker-engine + state: absent + - name: Install packages package: name: "{{ item }}" diff --git a/templates/etc/containers/registries.conf.j2 b/templates/etc/containers/registries.conf.j2 deleted file mode 100644 index 7797e29..0000000 --- a/templates/etc/containers/registries.conf.j2 +++ /dev/null @@ -1,27 +0,0 @@ -{{ ansible_managed | comment }} -# This is a system-wide configuration file used to -# keep track of registries for various container backends. -# It adheres to TOML format and does not support recursive -# lists of registries. - -# The default location for this configuration file is /etc/containers/registries.conf. - -# The only valid categories are: 'registries.search', 'registries.insecure', -# and 'registries.block'. - -[registries.search] -#registries = ['registry.access.redhat.com'] -registries = [{{ dockerengine_secure_registries | xoxys.general.wrap | join(',') }}] - -# If you need to access insecure registries, add the registry's fully-qualified name. -# An insecure registry is one that does not have a valid SSL certificate or only does HTTP. -[registries.insecure] -registries = [{{ dockerengine_insecure_registries | xoxys.general.wrap | join(',') }}] - - -# If you need to block pull access from a registry, uncomment the section below -# and add the registries fully-qualified name. -# -# Docker only -[registries.block] -registries = [{{ dockerengine_block_registries | xoxys.general.wrap | join(',') }}] diff --git a/templates/etc/sysconfig/docker-storage-setup.j2 b/templates/etc/sysconfig/docker-storage-setup.j2 deleted file mode 100644 index f6042ff..0000000 --- a/templates/etc/sysconfig/docker-storage-setup.j2 +++ /dev/null @@ -1,10 +0,0 @@ -#jinja2: lstrip_blocks: True -{{ ansible_managed | comment }} -STORAGE_DRIVER=overlay2 -{% if dockerengine_storage_pvs is defined %} -DEVS={{ dockerengine_storage_pvs }} -CONTAINER_ROOT_LV_NAME={{ dockerengine_storage_lv }} -CONTAINER_ROOT_LV_SIZE={{ dockerengine_storage_size }} -CONTAINER_ROOT_LV_MOUNT_PATH={{ dockerengine_base_dir }} -VG={{ dockerengine_storage_vg }} -{% endif %} diff --git a/templates/etc/sysconfig/docker.j2 b/templates/etc/sysconfig/docker.j2 index 9439851..882e0bb 100644 --- a/templates/etc/sysconfig/docker.j2 +++ b/templates/etc/sysconfig/docker.j2 @@ -1,33 +1,5 @@ {{ ansible_managed | comment }} -# Modify these options if you want to change the way the docker daemon runs -OPTIONS='{{ dockerengine_cli_options | xoxys.general.prefix | join(' ') }}{{ ' --userns-remap='+dockerengine_nsremap_user+':'+dockerengine_nsremap_user if dockerengine_usernamespace_enabled | bool else '' }}' -if [ -z "${DOCKER_CERT_PATH}" ]; then - DOCKER_CERT_PATH=/etc/docker -fi - -# Do not add registries in this file anymore. Use /etc/containers/registries.conf -# from the atomic-registries package. -# - -# On an SELinux system, if you remove the --selinux-enabled option, you -# also need to turn on the docker_transition_unconfined boolean. -# setsebool -P docker_transition_unconfined 1 - -# Location used for temporary files, such as those created by -# docker load and build operations. Default is /var/lib/docker/tmp -# Can be overriden by setting the following environment variable. -# DOCKER_TMPDIR=/var/tmp - -# Controls the /etc/cron.daily/docker-logrotate cron job status. -# To disable, uncomment the line below. -# LOGROTATE=false - -# docker-latest daemon can be used by starting the docker-latest unitfile. -# To use docker-latest client, uncomment below lines -#DOCKERBINARY=/usr/bin/docker-latest -#DOCKERDBINARY=/usr/bin/dockerd-latest -#DOCKER_CONTAINERD_BINARY=/usr/bin/docker-containerd-latest -#DOCKER_CONTAINERD_SHIM_BINARY=/usr/bin/docker-containerd-shim-latest +OPTIONS='{{' --userns-remap=' + dockerengine_nsremap_user + ':' + dockerengine_nsremap_user if dockerengine_usernamespace_enabled | bool else '' }}' # Proxy settings {% if dockerengine_http_proxy is defined %} diff --git a/templates/etc/systemd/system/docker.service.d/override.conf.j2 b/templates/etc/systemd/system/docker.service.d/override.conf.j2 new file mode 100644 index 0000000..0a37281 --- /dev/null +++ b/templates/etc/systemd/system/docker.service.d/override.conf.j2 @@ -0,0 +1,6 @@ +[Service] +EnvironmentFile=-/etc/sysconfig/docker +ExecStart= +ExecStart=/usr/bin/dockerd -H fd:// \ + --containerd=/run/containerd/containerd.sock \ + $OPTIONS