docker-ce/tasks/main.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120

---
- name: Install dependencies for apt key import
  apt:
    name: "{{ apt_key_deps }}"
  vars:
    apt_key_deps:
      - ca-certificates
      - curl
      - gpg
      - gnupg-agent
      - software-properties-common
  become: yes

- name: Add docker apt key
  apt_key:
    url: https://download.docker.com/linux/ubuntu/gpg
    id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
    state: present
  become: yes

- name: Add docker repo
  apt_repository:
    repo: "deb [arch=amd64] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
    update_cache: yes
  become: yes

- name: Install Docker CE and containerd
  apt:
    name: "{{ pkgs }}"
  environment:
    RUNLEVEL: 1
  vars:
    pkgs:
      - docker-ce
      - docker-ce-cli
      - containerd.io
  become: yes

- name: Add subuid/subgid ranges for dockremap
  shell: >
    awk -F: 'BEGIN {
               max=0
               found=0
             } {
               if ($1=="dockremap")
                 found=1
               if ($2>max)
                 max=($2)
             } END {
               if (!found)
                 print "dockremap:"max+65536":65536"}' \ 
             "/etc/{{ item }}" >> "/etc/{{ item }}"
  with_items:
    - subuid
    - subgid
  become: yes

- name: Copy static files
  copy:
    src: files/
    dest: /
  become: yes

- name: Disable automatic docker startup
  systemd:
    name: "{{ item }}"
    enabled: no
  with_items:
    - docker.service
    - containerd.service
  become: yes

- name: Enable docker socket activation 
  systemd:
    name: docker.socket
    enabled: yes
  become: yes

# Enable no-trivial-root authorization plugin
- name: install
  unarchive:
    src: "https://github.com/ad-freiburg/docker-no-trivial-root/releases/download/v0.1.0/docker-no-trivial-root_{{ ansible_architecture }}.tar.bz2"
    dest: "/tmp"
    remote_src: yes

- name: Copy over
  copy:
    src: "/tmp/docker-no-trivial-root_{{ ansible_architecture }}/docker-no-trivial-root"
    dest: "/usr/sbin/docker-no-trivial-root"
    mode: 0755
    remote_src: yes
  become: yes

- name: systemd
  copy:
    src: "/tmp/docker-no-trivial-root_{{ ansible_architecture }}/systemd/docker-no-trivial-root.service"
    dest: "/etc/systemd/system/docker-no-trivial-root.service"
    remote_src: yes
  become: yes

- name: Enable service
  systemd:
    name: docker-no-trivial-root
    enabled: yes
  become: yes

- name: Copy service to
  copy:
    src: /lib/systemd/system/docker.service
    dest: /etc/systemd/system/docker.service
    remote_src: yes
  become: yes

- name: Enable plugin via command line
  lineinfile:
    path: /etc/systemd/system/docker.service
    regexp: '^(ExecStart=.*dockerd) (.*)$'
    line: '\1 --authorization-plugin=no-trivial-root \2'
    backrefs: yes
  become: yes