From ffe6863ebad61377ad9e083cb63bdbc90dfc2bd5 Mon Sep 17 00:00:00 2001 From: John Robbins Date: Sun, 9 Apr 2023 18:51:08 -0600 Subject: [PATCH 1/8] [rootless docker] Add tasks for Docker rootless mode --- tasks/docker-rootless.yml | 45 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 tasks/docker-rootless.yml diff --git a/tasks/docker-rootless.yml b/tasks/docker-rootless.yml new file mode 100644 index 0000000..4213d88 --- /dev/null +++ b/tasks/docker-rootless.yml @@ -0,0 +1,45 @@ +--- +- name: Ensure dockerd-rootless-setup.sh is installed + apt: + name: + - uidmap + - docker-ce-rootless-extras + state: present + +- name: Stop any running root instances of docker daemon + systemd: + name: docker.service + state: stopped + enabled: false + +- name: Close root docker socket + systemd: + name: docker.socket + state: stopped + enabled: false + +- name: Remove docker.sock file + file: + path: /var/run/docker.sock + state: absent + +- name: Install rootless docker + become: false + command: /usr/bin/dockerd-rootless-setuptool.sh install + +- name: Enable and start rootless docker + become: false + systemd: + name: docker + state: started + enabled: yes + scope: user + +- name: Decouple rootless docker from user session + command: loginctl enable-linger {{ ansible_user }} + +- name: Add DOCKER_HOST to systemwide environment file + lineinfile: + path: /etc/environment + insertafter: EOF + line: 'DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock' From caedf7ae162f132b09f2a347276299b55d81bb4c Mon Sep 17 00:00:00 2001 From: John Robbins Date: Sun, 9 Apr 2023 18:52:33 -0600 Subject: [PATCH 2/8] [rootless docker] Allow user to configure rootless Docker by passing docker_rootless: true to role config --- defaults/main.yml | 1 + tasks/main.yml | 8 ++++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 870a94c..ec9b812 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,6 +7,7 @@ docker_packages: - "docker-{{ docker_edition }}-rootless-extras" - "containerd.io" docker_packages_state: present +docker_rootless: false # Service options. docker_service_manage: true diff --git a/tasks/main.yml b/tasks/main.yml index dcd47de..b979df2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -65,13 +65,17 @@ when: docker_daemon_options.keys() | length > 0 notify: restart docker -- name: Ensure Docker is started and enabled at boot. +- name: Ensure Docker is started and enabled at boot service: name: docker state: "{{ docker_service_state }}" enabled: "{{ docker_service_enabled }}" ignore_errors: "{{ ansible_check_mode }}" - when: docker_service_manage | bool + when: docker_service_manage | bool and docker_rootless == false + +- name: Setting up docker daemon as non-root + include_tasks: docker-rootless.yml + when: docker_rootless == true - name: Ensure handlers are notified now to avoid firewall conflicts. meta: flush_handlers From 0eef25269a8eab0fca0f63cdc81d5e5fbad2ebbf Mon Sep 17 00:00:00 2001 From: John Robbins Date: Mon, 10 Apr 2023 10:31:20 -0600 Subject: [PATCH 3/8] [rootless docker] Allow switching back to root docker if docker_rootless == false --- tasks/docker-rootless.yml | 2 +- tasks/main.yml | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/tasks/docker-rootless.yml b/tasks/docker-rootless.yml index 4213d88..c162d74 100644 --- a/tasks/docker-rootless.yml +++ b/tasks/docker-rootless.yml @@ -32,7 +32,7 @@ systemd: name: docker state: started - enabled: yes + enabled: true scope: user - name: Decouple rootless docker from user session diff --git a/tasks/main.yml b/tasks/main.yml index b979df2..f85a3f5 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -65,6 +65,11 @@ when: docker_daemon_options.keys() | length > 0 notify: restart docker +- name: Uninstall rootless docker + become: false + command: /usr/bin/dockerd-rootless-setuptool.sh uninstall --force + when: docker_rootless == false + - name: Ensure Docker is started and enabled at boot service: name: docker From 5685a017bb805bb394395ca4ff997aecd034e321 Mon Sep 17 00:00:00 2001 From: John Robbins Date: Mon, 10 Apr 2023 19:54:28 -0600 Subject: [PATCH 4/8] [rootless docker] Lookup XDG_RUNTIME_DIR variable properly --- tasks/docker-rootless.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/docker-rootless.yml b/tasks/docker-rootless.yml index c162d74..227ae3d 100644 --- a/tasks/docker-rootless.yml +++ b/tasks/docker-rootless.yml @@ -36,10 +36,10 @@ scope: user - name: Decouple rootless docker from user session - command: loginctl enable-linger {{ ansible_user }} + command: "loginctl enable-linger {{ ansible_user }}" - name: Add DOCKER_HOST to systemwide environment file lineinfile: path: /etc/environment insertafter: EOF - line: 'DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock' + line: "DOCKER_HOST=unix://{{ lookup('env', 'XDG_RUNTIME_DIR') }}/docker.sock" From 218e1620540e5741e098ac9b137b7c2bcb9c5dff Mon Sep 17 00:00:00 2001 From: John Robbins Date: Mon, 10 Apr 2023 20:20:08 -0600 Subject: [PATCH 5/8] [rootless docker] Maintain idempotency in 'command' routines --- tasks/docker-rootless.yml | 5 +++-- tasks/main.yml | 7 ++++++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/tasks/docker-rootless.yml b/tasks/docker-rootless.yml index 227ae3d..553c467 100644 --- a/tasks/docker-rootless.yml +++ b/tasks/docker-rootless.yml @@ -26,12 +26,13 @@ - name: Install rootless docker become: false command: /usr/bin/dockerd-rootless-setuptool.sh install + when: rootless_conf.stat.exists == false - name: Enable and start rootless docker become: false systemd: - name: docker - state: started + name: docker.service + state: restarted enabled: true scope: user diff --git a/tasks/main.yml b/tasks/main.yml index f85a3f5..c2b1c6d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -65,10 +65,15 @@ when: docker_daemon_options.keys() | length > 0 notify: restart docker +- name: Stat for rootless docker + stat: + path: "{{ lookup('env', 'XDG_RUNTIME_DIR') }}/docker.sock" + register: rootless_conf + - name: Uninstall rootless docker become: false command: /usr/bin/dockerd-rootless-setuptool.sh uninstall --force - when: docker_rootless == false + when: docker_rootless == false and rootless_conf.stat.exists - name: Ensure Docker is started and enabled at boot service: From 19df19c432137930a39a6650cfcff2b58046bb8c Mon Sep 17 00:00:00 2001 From: John Robbins Date: Tue, 11 Apr 2023 09:04:07 -0600 Subject: [PATCH 6/8] [rootless docker] Remove DOCKER_HOST environment when toggling between rootless and root docker --- tasks/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tasks/main.yml b/tasks/main.yml index c2b1c6d..1ffc3aa 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -75,6 +75,13 @@ command: /usr/bin/dockerd-rootless-setuptool.sh uninstall --force when: docker_rootless == false and rootless_conf.stat.exists +- name: Reset DOCKER_HOST environment + lineinfile: + path: /etc/environment + state: absent + regexp: '^DOCKER_HOST=unix:///run/user/.*/docker.sock$' + when: docker_rootless == false and rootless_conf.stat.exists + - name: Ensure Docker is started and enabled at boot service: name: docker From fdc2082c618e596aa81082bdf2974667d4c019fc Mon Sep 17 00:00:00 2001 From: John Robbins Date: Tue, 11 Apr 2023 09:13:40 -0600 Subject: [PATCH 7/8] [rootless docker] Use service where possible --- tasks/docker-rootless.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/tasks/docker-rootless.yml b/tasks/docker-rootless.yml index 553c467..9860a52 100644 --- a/tasks/docker-rootless.yml +++ b/tasks/docker-rootless.yml @@ -7,13 +7,13 @@ state: present - name: Stop any running root instances of docker daemon - systemd: + service: name: docker.service state: stopped enabled: false - name: Close root docker socket - systemd: + service: name: docker.socket state: stopped enabled: false @@ -32,9 +32,10 @@ become: false systemd: name: docker.service - state: restarted - enabled: true + state: "{{ docker_service_state }}" + enabled: "{{ docker_service_enabled }}" scope: user + ignore_errors: "{{ ansible_check_mode }}" - name: Decouple rootless docker from user session command: "loginctl enable-linger {{ ansible_user }}" From 8278f01d06176e1b8605b1542551617ed1483cf0 Mon Sep 17 00:00:00 2001 From: John Robbins Date: Tue, 11 Apr 2023 20:52:30 -0600 Subject: [PATCH 8/8] [rootless docker] Ensure this works for CentOS Stream 9 --- tasks/docker-rootless.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/tasks/docker-rootless.yml b/tasks/docker-rootless.yml index 9860a52..2fb9546 100644 --- a/tasks/docker-rootless.yml +++ b/tasks/docker-rootless.yml @@ -1,10 +1,19 @@ --- - name: Ensure dockerd-rootless-setup.sh is installed - apt: + package: name: - uidmap - docker-ce-rootless-extras state: present + when: ansible_distribution != "CentOS" + +- name: Ensure dockerd-rootless-setup.sh is installed + package: + name: + - shadow-utils + - docker-ce-rootless-extras + state: present + when: ansible_distribution == "CentOS" - name: Stop any running root instances of docker daemon service: @@ -23,6 +32,10 @@ path: /var/run/docker.sock state: absent +- name: Modprobe ip_tables + modprobe: + name: ip_tables + - name: Install rootless docker become: false command: /usr/bin/dockerd-rootless-setuptool.sh install