diff --git a/group_vars/k8s b/group_vars/k8s index b02bb36..536ef64 100644 --- a/group_vars/k8s +++ b/group_vars/k8s @@ -11,5 +11,5 @@ harden_linux_ufw_rules: - rule: "allow" to_port: "7000" protocol: "udp" -docker_version: "17.03.2-ce" +docker_version: 18.06.* diff --git a/k8s.yml b/k8s.yml index 0f52e1e..82e2a6c 100644 --- a/k8s.yml +++ b/k8s.yml @@ -3,6 +3,8 @@ roles: - role: proxy tags: proxy + - role: docker + tags: docker #- hosts: localhost # become: yes # gather_facts: no diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml new file mode 100644 index 0000000..807a3c9 --- /dev/null +++ b/roles/docker/defaults/main.yml @@ -0,0 +1,7 @@ +docker_apt_key: https://download.docker.com/linux/ubuntu/gpg +docker_apt_repository: https://download.docker.com/linux/ubuntu +# Choose 'edge' 'stable' or 'testing' for docker channel +docker_apt_channel: stable +# Docker daemon config file +docker_daemon_config: /etc/docker/daemon.json +docker_version: 17.03.* diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml new file mode 100644 index 0000000..27417b0 --- /dev/null +++ b/roles/docker/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: reload systemd + command: systemctl daemon-reload + +- name: restart docker + systemd: + name: docker + state: restarted + + diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml new file mode 100644 index 0000000..b685df2 --- /dev/null +++ b/roles/docker/tasks/main.yml @@ -0,0 +1,93 @@ +--- +- name: Docker installation for Ubuntu distribution + block: + + - name: Ensure docker packages are not present + apt: + state: absent + name: ['docker', 'docker-engine', 'docker.io'] + + - name: Install docker package dependencies + apt: + state: latest + name: ['apt-transport-https', 'ca-certificates', 'curl', 'software-properties-common'] + update_cache: yes + cache_valid_time: 86400 + register: result + retries: 3 + until: result is success + + - name: Adding Docker official gpg key + apt_key: + url: "{{ docker_apt_key }}" + state: present + + - name: Setting Docker repository depending on arch + set_fact: + docker_repository: "deb [arch={{ item.apt_arch }}] {{ docker_apt_repository }} {{ ansible_distribution_release }} {{ docker_apt_channel }}" + when: ansible_architecture == item.system_arch + with_items: + - { system_arch: 'x86_64', apt_arch: 'amd64' } + - { system_arch: 'arm', apt_arch: 'armhf' } + + - name: Printing Docker repository + debug: + var: docker_repository + + - name: Adding Docker repository + apt_repository: + repo: "{{ docker_repository }}" + state: present + filename: 'docker' + + # TODO fix this - fails when ip route is using tun0 in scaleway + - name: Explictly create docker0 + shell: | + ip link add name docker0 type bridge || true + ip addr add dev docker0 172.17.0.1/16 || true + + - name: Install docker-ce + apt: + name: docker-ce={{ docker_version }} + update_cache: yes + register: result + retries: 3 + until: result is success + + - name: Pin docker-ce release + copy: + dest: /etc/apt/preferences.d/docker-ce + content: | + Package: docker-ce + Pin: version {{ docker_version }} + Pin-Priority: 1002 + + - name: Fixing systemd unit for Docker config file + template: + src: docker.service.j2 + dest: /lib/systemd/system/docker.service + notify: reload systemd + + - name: Create docker config directory + file: + path: /etc/docker + mode: 0700 + recurse: yes + + - name: Templating /etc/docker/daemon.json + template: + src: daemon.json.j2 + dest: /etc/docker/daemon.json + notify: restart docker + + - name: Flushing handlers 2 + meta: flush_handlers + + - name: Getting Docker version + shell: "docker --version" + register: docker_version + + - name: Printing Docker version + debug: var=docker_version + + when: ansible_distribution == "Ubuntu" diff --git a/roles/docker/templates/daemon.json.j2 b/roles/docker/templates/daemon.json.j2 new file mode 100644 index 0000000..252f473 --- /dev/null +++ b/roles/docker/templates/daemon.json.j2 @@ -0,0 +1,3 @@ +{ + "experimental": true +} diff --git a/roles/docker/templates/docker.service.j2 b/roles/docker/templates/docker.service.j2 new file mode 100644 index 0000000..0c0a3ab --- /dev/null +++ b/roles/docker/templates/docker.service.j2 @@ -0,0 +1,37 @@ +[Unit] +Description=Docker Application Container Engine +Documentation=https://docs.docker.com +After=network-online.target docker.socket firewalld.service +Wants=network-online.target +Requires=docker.socket + +[Service] +Type=notify +# the default is not to use systemd for cgroups because the delegate issues still +# exists and systemd currently does not support the cgroup feature set required +# for containers run by docker +ExecStart=/usr/bin/dockerd --config-file {{ docker_daemon_config }} -H fd:// +ExecReload=/bin/kill -s HUP $MAINPID +LimitNOFILE=1048576 +# Having non-zero Limit*s causes performance problems due to accounting overhead +# in the kernel. We recommend using cgroups to do container-local accounting. +LimitNPROC=infinity +LimitCORE=infinity +# Uncomment TasksMax if your systemd version supports it. +# Only systemd 226 and above support this version. +TasksMax=infinity +TimeoutStartSec=0 +# set delegate yes so that systemd does not reset the cgroups of docker containers +Delegate=yes +# kill only the docker process, not all processes in the cgroup +KillMode=process +# restart the docker process if it exits prematurely +Restart=on-failure +StartLimitBurst=3 +StartLimitInterval=60s +Environment="NO_PROXY=https://cp-par1.scaleway.com,https://cp-ams1.scaleway.com,https://account.scaleway.com,http://169.254.42.42,192.168.66.0/24" +Environment="DOCKER_OPTS=--iptables=false --ip-masq=false" + +[Install] +WantedBy=multi-user.target +