I would've liked to keep all this in common but there's a chicken and egg situation.
docker and/or podman get installed during the testnode role. The testnode role can only be run after the common role. The testnode role is also where some repos are added.
So we need to install docker/podman and configure it after the testnodes role runs. Since we also want to be able to configure docker/podman on other systems, I couldn't put these tasks in the testnode role.
Signed-off-by: David Galloway <dgallowa@redhat.com>
# if this node is in the testnode group, configure it
- import_playbook: testnodes.yml
+# a number of different groups get docker/podman installed and configured
+- import_playbook: container-host.yml
+
# if this node is in the pcp group, configure it
#- import_playbook: pcp.yml
--- /dev/null
+---
+- hosts:
+ - testnodes
+ - senta
+ - vossi
+ roles:
+ - secrets
+ - container-host
+ tags:
+ - container
+ - container-mirror
+ strategy: free
+ become: true
- nagios-nrpe-server
- nagios-plugins-basic
-The following variables are used to optionally configure a dockerhub mirror CA
-certificate. The role will use `/etc/containers/certs.d` if it detects `podman`
-and `/etc/docker/certs.d` if it does not detect `podman` but detects `docker`::
-
- # Defined in all.yml in secrets repo
- container_mirror: docker-mirror.front.sepia.ceph.com:5000
-
- # Defined in all.yml in secrets repo
- container_mirror_cert: |
- -----BEGIN CERTIFICATE-----
- ...
- -----END CERTIFICATE-----
-
- # Defined in roles/common/vars/$distro_$version.yml or determined in roles/common/tasks/main.yml
- container_mirror_cert_path: "/etc/docker/certs.d/{{ container_mirror }}"
-
Tags
++++
applicable). ``monitoring-scripts`` is also always run with this tag since
NRPE isn't very useful without them.
-container-mirror
- Put a (probably self-signed) certificate in place for an internal dockerhub mirror.
-
To Do
+++++
+++ /dev/null
----
-# Note that these tasks only put the CA certificate in place.
-# podman/docker installation is still handled in the testnodes repo because
-# we don't want podman/docker installed everywhere but we do want this cert
-# everywhere just in case.
-# For example we might not want docker/podman installed on infrahost01 but
-# we definitely need this cert installed on testnodes and infrahost0{2..5}.
-- name: Include encrypted variables
- include_vars: "{{ item }}"
- with_first_found:
- - "{{ secrets_path }}/all.yml"
- - empty.yml
- no_log: true
- tags:
- - vars
-
-- name: "Create {{ container_mirror_cert_path }}"
- file:
- path: "{{ container_mirror_cert_path }}"
- state: directory
-
-- name: "Copy {{ container_mirror }} self-signed cert"
- copy:
- dest: "{{ container_mirror_cert_path }}/docker-mirror.crt"
- content: "{{ container_mirror_cert }}"
- vars
# We need these vars for the entitlements tag to work
- entitlements
- - container-mirror
# configure things specific to yum systems
- import_tasks: yum_systems.yml
(selinux_status is defined and selinux_status.stdout != "Disabled")
tags:
- nagios
-
-# We check for podman first because it was released after docker.
-# If we find podman, we should use its certs path.
-# Just because `docker` exists doesn't mean we're not using podman.
-- name: Check for podman
- command: podman --version
- register: check_for_podman
- ignore_errors: true
- when:
- - container_mirror_cert_path is not defined
- - container_mirror is defined
- - container_mirror_cert is defined
- tags:
- - container-mirror
-
-- set_fact:
- container_mirror_cert_path: "/etc/containers/certs.d/{{ container_mirror }}"
- when:
- - check_for_podman is success
- - container_mirror is defined
- - container_mirror_cert is defined
- tags:
- - container-mirror
-
-- name: Check for docker
- command: docker --version
- register: check_for_docker
- ignore_errors: true
- when:
- - container_mirror_cert_path is not defined
- - check_for_podman is not success
- - container_mirror is defined
- - container_mirror_cert is defined
- tags:
- - container-mirror
-
-- set_fact:
- container_mirror_cert_path: "/etc/docker/certs.d/{{ container_mirror }}"
- when:
- - check_for_docker is success
- - check_for_podman is not success
- - container_mirror is defined
- - container_mirror_cert is defined
- tags:
- - container-mirror
-
-- import_tasks: container_mirror.yml
- when:
- - container_mirror is defined
- - container_mirror_cert is defined
- - container_mirror_cert_path is defined
- tags:
- - container-mirror
+++ /dev/null
----
-container_mirror_cert_path: "/etc/docker/certs.d/{{ container_mirror }}"
nrpe_selinux_packages:
- python3-libsemanage
- python3-policycoreutils
-
-container_mirror_cert_path: "/etc/containers/certs.d/{{ container_mirror }}"
- rhel-7-server-optional-rpms
- rhel-7-server-extras-rpms
- rhel-ha-for-rhel-7-server-rpms
-
-container_mirror_cert_path: "/etc/docker/certs.d/{{ container_mirror }}"
nrpe_selinux_packages:
- python3-libsemanage
- python3-policycoreutils
-
-container_mirror_cert_path: "/etc/containers/certs.d/{{ container_mirror }}"
--- /dev/null
+container-host
+==============
+
+The container-host role will:
+
+- Install ``docker`` or ``podman``
+- Configure a local ``docker.io`` mirror if configured
+
+Variables
++++++++++
+
+``container_packages: []`` is the list of container packages to install. We default to podman on RedHat based distros and docker.io on Debian-based distros.
+
+The following variables are used to optionally configure a docker.io mirror CA certificate. The role will use ``/etc/containers/certs.d`` if ``podman`` is installed and ``/etc/docker/certs.d`` if ``docker`` is installed.::
+
+ # Defined in all.yml in secrets repo
+ container_mirror: docker-mirror.front.sepia.ceph.com:5000
+
+ # Defined in all.yml in secrets repo
+ container_mirror_cert: |
+ -----BEGIN CERTIFICATE-----
+ ...
+ -----END CERTIFICATE-----
+
+ # Automatically determined in roles/container-host/tasks/main.yml
+ container_mirror_cert_path: "/etc/docker/certs.d/{{ container_mirror }}"
--- /dev/null
+---
+dependencies:
+ - role: secrets
--- /dev/null
+---
+- name: "Create {{ container_mirror_cert_path }}"
+ file:
+ path: "{{ container_mirror_cert_path }}"
+ state: directory
+
+- name: "Copy {{ container_mirror }} self-signed cert"
+ copy:
+ dest: "{{ container_mirror_cert_path }}/docker-mirror.crt"
+ content: "{{ container_mirror_cert }}"
+
+- name: Install registries-conf-ctl
+ pip:
+ name: git+https://github.com/sebastian-philipp/registries-conf-ctl
+ state: latest
+
+# Why is this even necessary? I couldn't figure this out. I'd pip install but the command was not found in the next task. Tried '--user', umask: 0022, shell and command modules.
+- name: Find registries-conf-ctl
+ stat:
+ path: /usr/bin/registries-conf-ctl
+ register: usr_bin_rcc
+
+- name: Find registries-conf-ctl again
+ stat:
+ path: /usr/local/bin/registries-conf-ctl
+ register: usr_local_bin_rcc
+
+- set_fact:
+ rcc_path: /usr/bin/registries-conf-ctl
+ when: usr_bin_rcc.stat.exists
+
+- set_fact:
+ rcc_path: /usr/local/bin/registries-conf-ctl
+ when: usr_local_bin_rcc.stat.exists
+
+- name: "Check for docker's daemon.json"
+ stat:
+ path: "{{ container_service_conf }}"
+ when:
+ - "'docker.io' in container_packages"
+ - "'podman' not in container_packages"
+ register: container_conf
+
+- name: "Create {{ container_service_conf }} if necessary"
+ copy:
+ dest: "{{ container_service_conf }}"
+ content: "{}"
+ when:
+ - "'docker.io' in container_packages"
+ - "'podman' not in container_packages"
+ - container_conf.stat.exists == False
+
+- name: Add local docker.io registry mirror
+ command: "{{ rcc_path }} add-mirror docker.io {{ container_mirror }}"
--- /dev/null
+---
+- set_fact:
+ package_manager: apt
+ when: ansible_os_family == "Debian"
+
+- set_fact:
+ package_manager: yum
+ when: ansible_os_family == "RedHat"
+
+- name: Including distro specific variables
+ include_vars: "{{ item }}"
+ with_first_found:
+ - "{{ ansible_distribution | lower }}_{{ ansible_distribution_major_version }}.yml"
+ - "{{ package_manager }}_systems.yml"
+ - empty.yml
+
+- name: Install container packages
+ package:
+ name: "{{ container_packages }}"
+ state: latest
+ when: container_packages|length > 0
+
+- set_fact:
+ container_mirror_cert_path: "/etc/containers/certs.d/{{ container_mirror }}"
+ container_service_conf: "/etc/containers/registries.conf"
+ when:
+ - "'podman' in container_packages"
+ tags:
+ - container-mirror
+
+- set_fact:
+ container_mirror_cert_path: "/etc/docker/certs.d/{{ container_mirror }}"
+ container_service_conf: "/etc/docker/daemon.json"
+ when:
+ - "'docker.io' in container_packages"
+ - "'podman' not in container_packages"
+ tags:
+ - container-mirror
+
+- import_tasks: container_mirror.yml
+ when:
+ - container_mirror is defined
+ - container_mirror_cert is defined
+ - container_mirror_cert_path is defined
+ tags:
+ - container-mirror
--- /dev/null
+---
+container_packages:
+ - docker.io
--- /dev/null
+---
+container_packages:
+ - podman
+ - podman-docker