Initial commit of role files and readme.
This commit is contained in:
Nils Cant
29
README.md
29
README.md
@@ -1,2 +1,31 @@
|
||||
# ansible-role-docker
|
||||
|
||||
This role installs docker-ce (Docker Community Edition) on a Debian system. (Tested on Stretch and Buster) It also exposes the Docker socket over TCP on port 2376, using X509 TLS certificates to enable / disable access.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
Ensure that the fqdn (hostname -f) of the host is resolvable through dns.
|
||||
|
||||
## Example playbook
|
||||
|
||||
```
|
||||
---
|
||||
- hosts:
|
||||
- hostname
|
||||
roles:
|
||||
- role: docker
|
||||
```
|
||||
|
||||
## Copy TLS certificates
|
||||
|
||||
Copy /root/.docker/<fqdn> to your local home directory.
|
||||
|
||||
## Remotely connect to your docker host
|
||||
|
||||
```
|
||||
echo 'export DOCKER_HOST=tcp://<hostname>:2376
|
||||
export DOCKER_CERT_PATH=~/.docker/<hostname>
|
||||
export DOCKER_TLS_VERIFY=1' > vars
|
||||
source vars
|
||||
docker info
|
||||
```
|
||||
|
||||
1
defaults/main.yml
Normal file
1
defaults/main.yml
Normal file
@@ -0,0 +1 @@
|
||||
docker_storage_driver: overlay2
|
||||
7
handlers/main.yml
Normal file
7
handlers/main.yml
Normal file
@@ -0,0 +1,7 @@
|
||||
- name: restart docker
|
||||
service:
|
||||
name: docker
|
||||
state: restarted
|
||||
|
||||
- name: systemctl daemon-reload
|
||||
command: systemctl daemon-reload
|
||||
2
meta/main.yml
Normal file
2
meta/main.yml
Normal file
@@ -0,0 +1,2 @@
|
||||
galaxy_info:
|
||||
author: Nils Cant
|
||||
16
tasks/apt.yml
Normal file
16
tasks/apt.yml
Normal file
@@ -0,0 +1,16 @@
|
||||
---
|
||||
- name: Install prerequisites
|
||||
apt:
|
||||
name: ['apt-transport-https', 'ca-certificates', 'gpg']
|
||||
|
||||
- name: Add docker apt key
|
||||
apt_key:
|
||||
keyserver: hkp://p80.pool.sks-keyservers.net:80
|
||||
id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
|
||||
|
||||
- name: Add docker repository
|
||||
apt_repository:
|
||||
repo: "deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
|
||||
|
||||
- name: Install docker CE
|
||||
apt: name=docker-ce state=latest
|
||||
13
tasks/docker.yml
Normal file
13
tasks/docker.yml
Normal file
@@ -0,0 +1,13 @@
|
||||
---
|
||||
- name: Create docker systemd drop-in directory
|
||||
file:
|
||||
path: /etc/systemd/system/docker.service.d
|
||||
state: directory
|
||||
|
||||
- name: Configure docker startup options
|
||||
template:
|
||||
src: docker-systemd-conf.j2
|
||||
dest: /etc/systemd/system/docker.service.d/exec.conf
|
||||
notify:
|
||||
- restart docker
|
||||
- systemctl daemon-reload
|
||||
4
tasks/main.yml
Normal file
4
tasks/main.yml
Normal file
@@ -0,0 +1,4 @@
|
||||
---
|
||||
- import_tasks: apt.yml
|
||||
- import_tasks: tls.yml
|
||||
- import_tasks: docker.yml
|
||||
40
tasks/tls.yml
Normal file
40
tasks/tls.yml
Normal file
@@ -0,0 +1,40 @@
|
||||
---
|
||||
- name: Docker TLS directory
|
||||
file:
|
||||
path: /etc/docker/tls
|
||||
state: directory
|
||||
|
||||
- name: Openssl docker ext config file
|
||||
copy:
|
||||
content: "subjectAltName = DNS:{{ ansible_fqdn}},IP:127.0.0.1"
|
||||
dest: "/etc/docker/tls/extfile.cnf"
|
||||
|
||||
- name: Generate server CA and server TLS certificates
|
||||
shell: |
|
||||
openssl req -new -days 7300 -batch -newkey rsa:4096 -keyout ca.key -nodes -subj "/commonName={{ ansible_fqdn }} docker CA/" -x509 -out ca.pem
|
||||
openssl genrsa -out server.key 4096
|
||||
openssl req -subj "/CN={{ ansible_fqdn }}" -sha256 -new -key server.key -out server.csr
|
||||
openssl x509 -req -days 3650 -sha256 -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.pem -extfile extfile.cnf
|
||||
args:
|
||||
chdir: /etc/docker/tls
|
||||
creates: /etc/docker/tls/*.pem
|
||||
|
||||
- name: TLS client extfile
|
||||
copy:
|
||||
content: "extendedKeyUsage = clientAuth"
|
||||
dest: /etc/docker/tls/client-extfile.cnf
|
||||
|
||||
- name: Docker client certificate directory
|
||||
file:
|
||||
path: "/root/.docker/{{ ansible_fqdn }}"
|
||||
state: directory
|
||||
|
||||
- name: Generate and sign client TLS certificate
|
||||
shell: |
|
||||
openssl genrsa -out "/root/.docker/{{ ansible_fqdn }}/key.pem" 4096
|
||||
openssl req -subj '/CN=client' -new -key "/root/.docker/{{ ansible_fqdn }}/key.pem" -out "/root/.docker/{{ ansible_fqdn }}/client.csr"
|
||||
openssl x509 -req -days 3650 -sha256 -in "/root/.docker/{{ ansible_fqdn }}/client.csr" -CA ca.pem -CAkey ca.key -CAcreateserial -out "/root/.docker/{{ ansible_fqdn }}/cert.pem" -extfile client-extfile.cnf
|
||||
cp /etc/docker/tls/ca.pem "/root/.docker/{{ ansible_fqdn }}"
|
||||
args:
|
||||
chdir: /etc/docker/tls
|
||||
creates: "/root/.docker/{{ ansible_fqdn }}/cert.pem"
|
||||
3
templates/docker-systemd-conf.j2
Normal file
3
templates/docker-systemd-conf.j2
Normal file
@@ -0,0 +1,3 @@
|
||||
[Service]
|
||||
ExecStart=
|
||||
ExecStart=/usr/bin/dockerd -H fd:// --storage-driver={{ docker_storage_driver }} --tlsverify --tlscacert=/etc/docker/tls/ca.pem --tlscert=/etc/docker/tls/server.pem --tlskey=/etc/docker/tls/server.key -H=0.0.0.0:2376
|
||||
Reference in New Issue
Block a user