[docker-*] docker with nvidia support

and no trivial-root plugin

2 files changed, 125 insertions, 0 deletions

diff --git a/docker-ce/files/etc/docker/daemon.json b/docker-ce/files/etc/docker/daemon.json
new file mode 100644
index 0000000..b887738
--- /dev/null
+++ b/docker-ce/files/etc/docker/daemon.json
@@ -0,0 +1,5 @@
+{
+	"data-root": "/tmp/virt/docker",
+	"storage-driver": "overlay2",
+	"userns-remap": "default"
+}
diff --git a/docker-ce/tasks/main.yml b/docker-ce/tasks/main.yml
new file mode 100644
index 0000000..0383f9c
--- /dev/null
+++ b/docker-ce/tasks/main.yml
@@ -0,0 +1,120 @@
+---
+- name: Install dependencies for apt key import
+  apt:
+    name: "{{ apt_key_deps }}"
+  vars:
+    apt_key_deps:
+      - ca-certificates
+      - curl
+      - gpg
+      - gnupg-agent
+      - software-properties-common
+  become: yes
+
+- name: Add docker apt key
+  apt_key:
+    url: https://download.docker.com/linux/ubuntu/gpg
+    id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
+    state: present
+  become: yes
+
+- name: Add docker repo
+  apt_repository:
+    repo: "deb [arch=amd64] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
+    update_cache: yes
+  become: yes
+
+- name: Install Docker CE and containerd
+  apt:
+    name: "{{ pkgs }}"
+  environment:
+    RUNLEVEL: 1
+  vars:
+    pkgs:
+      - docker-ce
+      - docker-ce-cli
+      - containerd.io
+  become: yes
+
+- name: Add subuid/subgid ranges for dockremap
+  shell: >
+    awk -F: 'BEGIN {
+               max=0
+               found=0
+             } {
+               if ($1=="dockremap")
+                 found=1
+               if ($2>max)
+                 max=($2)
+             } END {
+               if (!found)
+                 print "dockremap:"max+65536":65536"}' \ 
+             "/etc/{{ item }}" >> "/etc/{{ item }}"
+  with_items:
+    - subuid
+    - subgid
+  become: yes
+
+- name: Copy static files
+  copy:
+    src: files/
+    dest: /
+  become: yes
+
+- name: Disable automatic docker startup
+  systemd:
+    name: "{{ item }}"
+    enabled: no
+  with_items:
+    - docker.service
+    - containerd.service
+  become: yes
+
+- name: Enable docker socket activation 
+  systemd:
+    name: docker.socket
+    enabled: yes
+  become: yes
+
+# Enable no-trivial-root authorization plugin
+- name: install
+  unarchive:
+    src: "https://github.com/ad-freiburg/docker-no-trivial-root/releases/download/v0.1.0/docker-no-trivial-root_{{ ansible_architecture }}.tar.bz2"
+    dest: "/tmp"
+    remote_src: yes
+
+- name: Copy over
+  copy:
+    src: "/tmp/docker-no-trivial-root_{{ ansible_architecture }}/docker-no-trivial-root"
+    dest: "/usr/sbin/docker-no-trivial-root"
+    mode: 0755
+    remote_src: yes
+  become: yes
+
+- name: systemd
+  copy:
+    src: "/tmp/docker-no-trivial-root_{{ ansible_architecture }}/systemd/docker-no-trivial-root.service"
+    dest: "/etc/systemd/system/docker-no-trivial-root.service"
+    remote_src: yes
+  become: yes
+
+- name: Enable service
+  systemd:
+    name: docker-no-trivial-root
+    enabled: yes
+  become: yes
+
+- name: Copy service to
+  copy:
+    src: /lib/systemd/system/docker.service
+    dest: /etc/systemd/system/docker.service
+    remote_src: yes
+  become: yes
+
+- name: Enable plugin via command line
+  lineinfile:
+    path: /etc/systemd/system/docker.service
+    regexp: '^(ExecStart=.*dockerd) (.*)$'
+    line: '\1 --authorization-plugin=no-trivial-root \2'
+    backrefs: yes
+  become: yes