Merge 8278f01d06 into 8ff4a24147

2025-10-06 11:14:53 +02:00 · 2023-11-17 14:53:16 +01:00 · 2023-11-17 14:53:16 +01:00 · 364c77fe71
commit 364c77fe71
parent 8ff4a24147 8278f01d06
3 changed files with 84 additions and 2 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -7,6 +7,7 @@ docker_packages:
  - "docker-{{ docker_edition }}-rootless-extras"
  - "containerd.io"
 docker_packages_state: present
+docker_rootless: false

 # Service options.
 docker_service_manage: true
--- a/tasks/docker-rootless.yml
+++ b/tasks/docker-rootless.yml
@ -0,0 +1,60 @@
+---
+- name: Ensure dockerd-rootless-setup.sh is installed
+  package:
+    name:
+      - uidmap
+      - docker-ce-rootless-extras
+    state: present
+  when: ansible_distribution != "CentOS"
+
+- name: Ensure dockerd-rootless-setup.sh is installed
+  package:
+    name:
+      - shadow-utils
+      - docker-ce-rootless-extras
+    state: present
+  when: ansible_distribution == "CentOS"
+
+- name: Stop any running root instances of docker daemon
+  service:
+    name: docker.service
+    state: stopped
+    enabled: false
+
+- name: Close root docker socket
+  service:
+    name: docker.socket
+    state: stopped
+    enabled: false
+
+- name: Remove docker.sock file
+  file:
+    path: /var/run/docker.sock
+    state: absent
+
+- name: Modprobe ip_tables
+  modprobe:
+    name: ip_tables
+
+- name: Install rootless docker
+  become: false
+  command: /usr/bin/dockerd-rootless-setuptool.sh install
+  when: rootless_conf.stat.exists == false
+
+- name: Enable and start rootless docker
+  become: false
+  systemd:
+    name: docker.service
+    state: "{{ docker_service_state }}"
+    enabled: "{{ docker_service_enabled }}"
+    scope: user
+  ignore_errors: "{{ ansible_check_mode }}"
+
+- name: Decouple rootless docker from user session
+  command: "loginctl enable-linger {{ ansible_user }}"
+
+- name: Add DOCKER_HOST to systemwide environment file
+  lineinfile:
+    path: /etc/environment
+    insertafter: EOF
+    line: "DOCKER_HOST=unix://{{ lookup('env', 'XDG_RUNTIME_DIR') }}/docker.sock"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -65,13 +65,34 @@
  when: docker_daemon_options.keys() | length > 0
  notify: restart docker

- name: Ensure Docker is started and enabled at boot.
+- name: Stat for rootless docker
+  stat:
+    path: "{{ lookup('env', 'XDG_RUNTIME_DIR') }}/docker.sock"
+  register: rootless_conf
+
+- name: Uninstall rootless docker
+  become: false
+  command: /usr/bin/dockerd-rootless-setuptool.sh uninstall --force
+  when: docker_rootless == false and rootless_conf.stat.exists
+
+- name: Reset DOCKER_HOST environment
+  lineinfile:
+    path: /etc/environment
+    state: absent
+    regexp: '^DOCKER_HOST=unix:///run/user/.*/docker.sock$'
+  when: docker_rootless == false and rootless_conf.stat.exists
+
+- name: Ensure Docker is started and enabled at boot
  service:
    name: docker
    state: "{{ docker_service_state }}"
    enabled: "{{ docker_service_enabled }}"
  ignore_errors: "{{ ansible_check_mode }}"
-  when: docker_service_manage | bool
+  when: docker_service_manage | bool and docker_rootless == false
+
+- name: Setting up docker daemon as non-root
+  include_tasks: docker-rootless.yml
+  when: docker_rootless == true

 - name: Ensure handlers are notified now to avoid firewall conflicts.
  meta: flush_handlers