Merge 8278f01d06 into 8ff4a24147

defaults/main.yml

@@ -7,6 +7,7 @@ docker_packages:
   - "docker-{{ docker_edition }}-rootless-extras"
   - "containerd.io"
 docker_packages_state: present
+docker_rootless: false
 
 # Service options.
 docker_service_manage: true

tasks/docker-rootless.yml

@@ -0,0 +1,60 @@
+---
+- name: Ensure dockerd-rootless-setup.sh is installed
+  package:
+    name:
+      - uidmap
+      - docker-ce-rootless-extras
+    state: present
+  when: ansible_distribution != "CentOS"
+
+- name: Ensure dockerd-rootless-setup.sh is installed
+  package:
+    name:
+      - shadow-utils
+      - docker-ce-rootless-extras
+    state: present
+  when: ansible_distribution == "CentOS"
+
+- name: Stop any running root instances of docker daemon
+  service:
+    name: docker.service
+    state: stopped
+    enabled: false
+
+- name: Close root docker socket
+  service:
+    name: docker.socket
+    state: stopped
+    enabled: false
+
+- name: Remove docker.sock file
+  file:
+    path: /var/run/docker.sock
+    state: absent
+
+- name: Modprobe ip_tables
+  modprobe:
+    name: ip_tables
+
+- name: Install rootless docker
+  become: false
+  command: /usr/bin/dockerd-rootless-setuptool.sh install
+  when: rootless_conf.stat.exists == false
+
+- name: Enable and start rootless docker
+  become: false
+  systemd:
+    name: docker.service
+    state: "{{ docker_service_state }}"
+    enabled: "{{ docker_service_enabled }}"
+    scope: user
+  ignore_errors: "{{ ansible_check_mode }}"
+
+- name: Decouple rootless docker from user session
+  command: "loginctl enable-linger {{ ansible_user }}"
+
+- name: Add DOCKER_HOST to systemwide environment file
+  lineinfile:
+    path: /etc/environment
+    insertafter: EOF
+    line: "DOCKER_HOST=unix://{{ lookup('env', 'XDG_RUNTIME_DIR') }}/docker.sock"

tasks/main.yml

@@ -65,13 +65,34 @@
   when: docker_daemon_options.keys() | length > 0
   notify: restart docker
 
-- name: Ensure Docker is started and enabled at boot.
+- name: Stat for rootless docker
+  stat:
+    path: "{{ lookup('env', 'XDG_RUNTIME_DIR') }}/docker.sock"
+  register: rootless_conf
+
+- name: Uninstall rootless docker
+  become: false
+  command: /usr/bin/dockerd-rootless-setuptool.sh uninstall --force
+  when: docker_rootless == false and rootless_conf.stat.exists
+
+- name: Reset DOCKER_HOST environment
+  lineinfile:
+    path: /etc/environment
+    state: absent
+    regexp: '^DOCKER_HOST=unix:///run/user/.*/docker.sock$'
+  when: docker_rootless == false and rootless_conf.stat.exists
+
+- name: Ensure Docker is started and enabled at boot
   service:
     name: docker
     state: "{{ docker_service_state }}"
     enabled: "{{ docker_service_enabled }}"
   ignore_errors: "{{ ansible_check_mode }}"
-  when: docker_service_manage | bool
+  when: docker_service_manage | bool and docker_rootless == false
+
+- name: Setting up docker daemon as non-root
+  include_tasks: docker-rootless.yml
+  when: docker_rootless == true
 
 - name: Ensure handlers are notified now to avoid firewall conflicts.
   meta: flush_handlers