From 1f535e980fc149cf4543cebbbad8cab35b7a9967 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Thu, 19 Sep 2019 17:21:15 -0500
Subject: [PATCH] roles/docker: Install and set up Docker daemon

The *docker* role configures the Docker daemon on the managed machine.
---
 docker.yml                                    |   3 +
 hosts                                         |   2 +
 roles/docker/defaults/main.yml                |   6 +
 roles/docker/files/generate-docker-key.sh     |  20 ++++
 .../docker/files/protect-system.systemd.conf  |   4 +
 roles/docker/files/reset-docker-storage.sh    |  16 +++
 roles/docker/handlers/main.yml                |  11 ++
 roles/docker/tasks/main.yml                   | 105 ++++++++++++++++++
 roles/docker/templates/daemon.json.j2         |  16 +++
 .../templates/docker-latest.sysconfig.j2      |  34 ++++++
 .../docker/templates/docker-storage-setup.j2  |  14 +++
 roles/docker/templates/docker.sysconfig.j2    |  18 +++
 roles/docker/templates/http-proxy.conf.j2     |  12 ++
 roles/docker/vars/docker-latest.yml           |   2 +
 roles/docker/vars/docker.yml                  |   2 +
 roles/docker/vars/main.yml                    |   2 +
 16 files changed, 267 insertions(+)
 create mode 100644 docker.yml
 create mode 100644 roles/docker/defaults/main.yml
 create mode 100644 roles/docker/files/generate-docker-key.sh
 create mode 100644 roles/docker/files/protect-system.systemd.conf
 create mode 100644 roles/docker/files/reset-docker-storage.sh
 create mode 100644 roles/docker/handlers/main.yml
 create mode 100644 roles/docker/tasks/main.yml
 create mode 100644 roles/docker/templates/daemon.json.j2
 create mode 100644 roles/docker/templates/docker-latest.sysconfig.j2
 create mode 100644 roles/docker/templates/docker-storage-setup.j2
 create mode 100644 roles/docker/templates/docker.sysconfig.j2
 create mode 100644 roles/docker/templates/http-proxy.conf.j2
 create mode 100644 roles/docker/vars/docker-latest.yml
 create mode 100644 roles/docker/vars/docker.yml
 create mode 100644 roles/docker/vars/main.yml

diff --git a/docker.yml b/docker.yml
new file mode 100644
index 0000000..b86afbf
--- /dev/null
+++ b/docker.yml
@@ -0,0 +1,3 @@
+- hosts: docker
+  roles:
+  - docker
diff --git a/hosts b/hosts
index 6ab23e4..638da41 100644
--- a/hosts
+++ b/hosts
@@ -26,6 +26,8 @@ vm-hosts
 [dhcpd:children]
 pyrocufflink-dhcp
 
+[docker]
+
 [file-servers]
 file0.pyrocufflink.blue
 
diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml
new file mode 100644
index 0000000..afe7c3e
--- /dev/null
+++ b/roles/docker/defaults/main.yml
@@ -0,0 +1,6 @@
+docker_pkg: docker
+docker_allow_unprivileged: false
+docker_log_level: info
+docker_enable_tls: false
+docker_allow_outside: false
+docker_listen_port: 2376
diff --git a/roles/docker/files/generate-docker-key.sh b/roles/docker/files/generate-docker-key.sh
new file mode 100644
index 0000000..1418834
--- /dev/null
+++ b/roles/docker/files/generate-docker-key.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+set -ex
+
+: ${DOCKER_SVC:=${1:-docker}}
+
+dropin=/etc/systemd/system/${DOCKER_SVC}.service.d/protect-system.conf
+
+systemctl stop ${DOCKER_SVC}
+if [ -f ${dropin} ]; then
+	mv ${dropin} ${dropin}.disabled
+	systemctl daemon-reload
+fi
+systemctl start ${DOCKER_SVC}
+test -f /etc/docker/key.json
+systemctl stop ${DOCKER_SVC}
+if [ -f ${dropin}.disabled ]; then
+	mv ${dropin}.disabled ${dropin}
+	systemctl daemon-reload
+fi
diff --git a/roles/docker/files/protect-system.systemd.conf b/roles/docker/files/protect-system.systemd.conf
new file mode 100644
index 0000000..f2cae41
--- /dev/null
+++ b/roles/docker/files/protect-system.systemd.conf
@@ -0,0 +1,4 @@
+[Service]
+ReadOnlyDirectories=/
+ReadWriteDirectories=/var /run /proc /sys/fs/cgroup /dev/pts
+PrivateTmp=true
diff --git a/roles/docker/files/reset-docker-storage.sh b/roles/docker/files/reset-docker-storage.sh
new file mode 100644
index 0000000..b6a107b
--- /dev/null
+++ b/roles/docker/files/reset-docker-storage.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+: ${DOCKER_SVC:=${1:-docker}}
+
+
+systemctl stop ${DOCKER_SVC} ${DOCKER_SVC}-storage-setup
+
+docker_pool=$(/sbin/lvm lvs | awk '$1=="docker-pool"{printf "%s/%s\n",$2,$1}')
+if [ -n "${docker_pool}" ]; then
+	/sbin/lvm lvchange -an "${docker_pool}"
+	/sbin/lvm lvremove "${docker_pool}"
+fi
+
+rm -f /etc/sysconfig/${DOCKER_SVC}-storage
+
+find /var/lib/docker -mindepth 1 -delete
diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml
new file mode 100644
index 0000000..be0f7cb
--- /dev/null
+++ b/roles/docker/handlers/main.yml
@@ -0,0 +1,11 @@
+- name: reload systemd
+  command: systemctl daemon-reload
+- name: reset docker storage
+  script:
+     reset-docker-storage.sh {{ docker_service }}
+- name: restart docker
+  service:
+    name={{ docker_service }}
+    state=restarted
+- name: save firewalld configuration
+  command: firewall-cmd --runtime-to-permanent
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
new file mode 100644
index 0000000..5ed2a42
--- /dev/null
+++ b/roles/docker/tasks/main.yml
@@ -0,0 +1,105 @@
+- name: load configuration variables
+  include_vars: '{{ docker_pkg }}.yml'
+- name: ensure docker is installed
+  package:
+    name={{ docker_pkg }}
+    state=present
+
+- name: ensure docker group exists
+  group:
+    name=docker
+    system=yes
+    state=present
+  when: docker_allow_unprivileged|d|bool
+
+- name: ensure docker storage is configured
+  template:
+    src=docker-storage-setup.j2
+    dest=/etc/sysconfig/{{ docker_storage_setup }}
+    mode=0644
+  notify: reset docker storage
+- name: ensure docker is configured
+  template:
+    src={{ docker_service }}.sysconfig.j2
+    dest=/etc/sysconfig/{{ docker_service }}
+  notify: restart docker
+
+- name: ensure ip forwarding is enabled
+  sysctl:
+    name=net.ipv4.ip_forward
+    value=1
+    sysctl_file=/etc/sysctl.d/70-ip_forward.conf
+
+- name: ensure docker daemon is configured
+  template:
+    src: daemon.json.j2
+    dest: /etc/docker/daemon.json
+    mode: '0644'
+  notify: restart docker
+
+- name: ensure docker server certificate is installed
+  copy:
+    src: '{{ item }}'
+    dest: /etc/pki/tls/certs/docker.cer
+    mode: '0644'
+  with_fileglob:
+  - certs/docker/{{ inventory_hostname }}/docker.cer
+- name: ensure docker server private key is installed
+  copy:
+    src: '{{ item }}'
+    dest: /etc/pki/tls/private/docker.key
+    mode: '0400'
+  with_fileglob:
+  - certs/docker/{{ inventory_hostname }}/docker.key
+- name: ensure docker client ca certificate is installed
+  copy:
+    src: '{{ item }}'
+    dest: /etc/pki/tls/certs/docker-ca.crt
+    mode: '0644'
+  with_fileglob:
+  - certs/docker/{{ inventory_hostname }}/docker-ca.crt
+
+- name: ensure docker trust key file exists
+  script:
+    generate-docker-key.sh
+    creates=/etc/docker/key.json
+- name: ensure docker systemd unit extension directory exists
+  file:
+    path=/etc/systemd/system/{{ docker_service }}.service.d
+    mode=0755
+    state=directory
+#- name: ensure system protection is configured for the docker daemon
+#  copy:
+#    src=protect-system.systemd.conf
+#    dest=/etc/systemd/system/{{ docker_service }}.service.d/protect-system.conf
+#    mode=0644
+#  notify:
+#  - reload systemd
+#  - restart docker
+- name: ensure docker daemon is configured to use http proxy
+  template:
+    src=http-proxy.conf.j2
+    dest=/etc/systemd/system/{{ docker_service }}.service.d/http-proxy.conf
+    mode=0644
+  notify:
+  - reload systemd
+  - restart docker
+
+- name: ensure firewall is configured for docker
+  firewalld:
+    port: '{{ docker_listen_port }}/tcp'
+    state: '{{ "enabled" if docker_allow_outside else "disabled" }}'
+    permanent: false
+    immediate: true
+  notify: save firewalld configuration
+
+- name: ensure docker starts at boot
+  service:
+    name={{ docker_service }}
+    enabled=yes
+
+- meta: flush_handlers
+- name: ensure docker is running
+  service:
+    name={{ docker_service }}
+    state=started
diff --git a/roles/docker/templates/daemon.json.j2 b/roles/docker/templates/daemon.json.j2
new file mode 100644
index 0000000..b15b5a7
--- /dev/null
+++ b/roles/docker/templates/daemon.json.j2
@@ -0,0 +1,16 @@
+{
+{% if docker_enable_tls %}
+    "tls": true,
+    "tlscert": "/etc/pki/tls/certs/docker.cer",
+    "tlskey": "/etc/pki/tls/private/docker.key",
+    "tlsverify": true,
+    "tlscacert": "/etc/pki/tls/certs/docker-ca.crt",
+    "hosts": [
+{% if docker_allow_outside %}
+        "tcp://[::]:{{ docker_listen_port }}",
+{% endif %}
+        "unix:///var/run/docker.sock"
+    ],
+{% endif %}
+    "log-level": "{{ docker_log_level }}"
+}
diff --git a/roles/docker/templates/docker-latest.sysconfig.j2 b/roles/docker/templates/docker-latest.sysconfig.j2
new file mode 100644
index 0000000..540da8d
--- /dev/null
+++ b/roles/docker/templates/docker-latest.sysconfig.j2
@@ -0,0 +1,34 @@
+# /etc/sysconfig/docker-latest
+
+# Modify these options if you want to change the way the docker daemon runs
+OPTIONS='{% if docker_allow_unprivileged|bool %}-G docker {% endif %}--selinux-enabled'
+DOCKER_CERT_PATH=/etc/docker
+
+# If you want to add your own registry to be used for docker search and docker
+# pull use the #ADD_REGISTRY option to list a set of registries, each prepended
+# with --add-registry flag. The first registry added will be the first registry
+# searched.
+#ADD_REGISTRY='--add-registry registry.access.redhat.com'
+
+# If you want to block registries from being used, uncomment the BLOCK_REGISTRY
+# option and give it a set of registries, each prepended with --block-registry
+# flag. For example adding docker.io will stop users from downloading images
+# from docker.io
+# BLOCK_REGISTRY='--block-registry'
+
+# Enable insecure registry communication by appending the registry URL
+# to the INSECURE_REGISTRY variable below and uncommenting it
+# INSECURE_REGISTRY='--insecure-registry '
+
+# On SELinux System, if you remove the --selinux-enabled option, you
+# also need to turn on the docker_transition_unconfined boolean.
+# setsebool -P docker_transition_unconfined
+
+# Location used for temporary files, such as those created by
+# docker load and build operations. Default is /var/lib/docker/tmp
+# Can be overriden by setting the following environment variable.
+# DOCKER_TMPDIR=/var/tmp
+
+# Controls the /etc/cron.daily/docker-logrotate cron job status.
+# To disable, uncomment the line below.
+# LOGROTATE=false
diff --git a/roles/docker/templates/docker-storage-setup.j2 b/roles/docker/templates/docker-storage-setup.j2
new file mode 100644
index 0000000..056206c
--- /dev/null
+++ b/roles/docker/templates/docker-storage-setup.j2
@@ -0,0 +1,14 @@
+# Edit this file to override any configuration options specified in
+# /usr/lib/{{ docker_storage_setup }}/{{ docker_storage_setup }}.
+#
+# For more details refer to "man {{ docker_storage_setup }}"
+
+{% if docker_storage_devs is defined %}
+DEVS="{{ docker_storage_devs|join(' ') }}"
+{% endif %}
+{% if docker_storage_vg is defined %}
+VG={{ docker_storage_vg }}
+{% endif %}
+{% if docker_storage_data_size is defined %}
+DATA_SIZE={{ docker_storage_data_size }}
+{% endif %}
diff --git a/roles/docker/templates/docker.sysconfig.j2 b/roles/docker/templates/docker.sysconfig.j2
new file mode 100644
index 0000000..33a3bbc
--- /dev/null
+++ b/roles/docker/templates/docker.sysconfig.j2
@@ -0,0 +1,18 @@
+# /etc/sysconfig/docker
+
+# Modify these options if you want to change the way the docker daemon runs
+OPTIONS='{% if docker_allow_unprivileged|bool %}-G docker {% endif %}--selinux-enabled --log-driver=journald --signature-verification=false'
+if [ -z "${DOCKER_CERT_PATH}" ]; then
+    DOCKER_CERT_PATH=/etc/docker
+fi
+
+# Do not add registries in this file anymore. Use /etc/containers/registries.conf
+# from the atomic-registries package.
+#
+
+# docker-latest daemon can be used by starting the docker-latest unitfile.
+# To use docker-latest client, uncomment below lines
+#DOCKERBINARY=/usr/bin/docker-latest
+#DOCKERDBINARY=/usr/bin/dockerd-latest
+#DOCKER_CONTAINERD_BINARY=/usr/bin/docker-containerd-latest
+#DOCKER_CONTAINERD_SHIM_BINARY=/usr/bin/docker-containerd-shim-latest
diff --git a/roles/docker/templates/http-proxy.conf.j2 b/roles/docker/templates/http-proxy.conf.j2
new file mode 100644
index 0000000..237215c
--- /dev/null
+++ b/roles/docker/templates/http-proxy.conf.j2
@@ -0,0 +1,12 @@
+{% if http_proxy is defined or http_proxy is defined %}
+[Service]
+{% if http_proxy is defined %}
+Environment=HTTP_PROXY={{ http_proxy }}
+{% endif %}
+{% if https_proxy is defined %}
+Environment=HTTPS_PROXY={{ https_proxy }}
+{% endif %}
+{% if no_proxy is defined %}
+Environment=NO_PROXY={{ no_proxy|join(',') }}
+{% endif %}
+{% endif %}
diff --git a/roles/docker/vars/docker-latest.yml b/roles/docker/vars/docker-latest.yml
new file mode 100644
index 0000000..78b3c8f
--- /dev/null
+++ b/roles/docker/vars/docker-latest.yml
@@ -0,0 +1,2 @@
+docker_storage_setup: docker-latest-storage-setup
+docker_service: docker-latest
diff --git a/roles/docker/vars/docker.yml b/roles/docker/vars/docker.yml
new file mode 100644
index 0000000..b9e4563
--- /dev/null
+++ b/roles/docker/vars/docker.yml
@@ -0,0 +1,2 @@
+docker_storage_setup: docker-storage-setup
+docker_service: docker
diff --git a/roles/docker/vars/main.yml b/roles/docker/vars/main.yml
new file mode 100644
index 0000000..a243090
--- /dev/null
+++ b/roles/docker/vars/main.yml
@@ -0,0 +1,2 @@
+docker_service: docker-latest
+docker_storage_setup: docker-latest-storage-setup