mongrelion / ansible-role-docker Goto Github PK

Hi,

If proxy needs to be configured for docker daemon, it is not supported in the daemon.json file. It has to be in the /etc/systemd/system/docker.service.d/http-proxy.conf.

FYI https://docs.docker.com/engine/admin/systemd/#httphttps-proxy
Thanks

Officially (infos from meta.yml) your role does not support Ubuntu.
I'm interested as I soon need to support both debian/ubuntu and redhat/centos worlds with proper docker deployments.

Usually not many changes required to extend debian with ubuntu support.
Ideally we could merge (the quite advanced) functionality from https://github.com/angstwad/docker.ubuntu (which is ubuntu only though).

Or can anyone propose another popular role?
A galaxy query: https://galaxy.ansible.com/list#/roles?page=1&page_size=10&tags=ubuntu&autocomplete=docker%20redhat
only found: https://github.com/abaez/ansible-role-docker
which install using pip and the official docker install script (instead of apt resp. yum )

ps: Galaxy infos seem outdated, and only list EL-7 support: https://galaxy.ansible.com/mongrelion/docker/

Our current test suite has several issues:

1. It's not automated. If we are to make sure that a developer's change hasn't broken anything, someone has to pull their changes, run the test suite locally and make sure that everything is working accordingly, which bring us to the second point

2. There are no tests whatsoever. The only thing that we are doing is applying the ansible-role-docker role with Ansible to the VMs that we create and assume that if no task failed during the run of the playbook, then everything is "fine". We should have a proper test suite that automates all of this, and that has a decent criteria to ensure that the role has been applied successfully and that the installed software (Docker) is behaving as expected (config files in place with proper config params, daemon running & logging, etc.)

Possible options for aiding to this issue are:

• http://serverspec.org/
• https://www.inspec.io/
• https://testinfra.readthedocs.io/en/latest/

If someone has the knowledge or time to dive into testing these tools out (or if they have a better suggestion in mind) and write down below a list of pros/cons for each, that would be great. Otherwise I'll find the time later in August to try them all out with very simple use cases and pick the one that I like the most :P

I tried to run my existing playbooks with the latest version and got an error when trying to install with docker_version: 17.06 on Ubuntu 16.04 because the specified version is not available from the configured apt repo.

So it seems we no longer support all of the versions of the Docker engine we used to with the old 0.1.0 Rancher scripts.

The new logic relies on the yum/apt repositories at https://download.docker.com/linux/ but these repos seem to only support edge, nightly, test and stable tags — not individual Docker versions.

For now I just pinned down to 0.1.0, but we should clarify in the README which versions of Docker can be installed with this role, and ideally provide options for people to install older versions of the Docker engine, maybe just falling back to the Rancher scripts if need be...

level=error msg="Failed to GetDriver graph" driver=devicemapper error="graphdriver plugins are only supported with experimental mode" home-dir=/var/lib/docker

docker/for-linux#452

docker/cli#1424

moby/moby#38194

Currently role can install docker-py which is outdated (current name is just docker) and not really usable anywhere outside some application. Maybe we should dump installing docker-py and just install docker-compose since it also includes correct docker python library and can be used for some other things.

@mongrelion what do you think about it?

I can provide a script to be included in travis CI pipeline which can automatically set new tags following semantic versioning.
It runs only on master branch and by default it adds 1 to PATCH part of varsion tag when something new is pushed. It also can add 1 to MAJOR part when it detects special message in the last commit.
This is how it looks: https://github.com/cloudalchemy/ansible-prometheus/blob/master/.travis/generatetag.sh

From my experience it is generally easier to read playbook vars or group vars when roles use some prefix in their variable naming convention. This way it is very easy to identify which variable overwrites which role defaults.

I propose to change all variables located in defaults/main.yml to be prefixed with "docker_" and provide a task file which would map old variables to new ones by using set_fact module. This way role could be backwards compatible and provide this namespace functionality.

I get this error when running the playbooks. Just wanted to give a heads up.
"The checksum for /tmp/docker-setup.sh did not match 659c2c28875469d68b14a71e44cb281f; it was 6be324016277879d49bd0e7f9f91e546."
Confirmed on my host with curl:
curl https://releases.rancher.com/install-docker/17.06.sh -o /tmp/17.06.sh && md5sum /tmp/17.06.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 15228 100 15228 0 0 33058 0 --:--:-- --:--:-- --:--:-- 33032
6be324016277879d49bd0e7f9f91e546 /tmp/17.06.sh

I am actually using versioning and finding it helpful.

http://docs.ansible.com/ansible/latest/galaxy.html#version

It doesn't have to be SemVer, but a tag every now and then when you think of it. Someone with commit access to this repo has to do it. Tags can't be added via Pull Requests. :(

Just tried your role with Ubuntu Bionic and it fails (fair enough, your meta only states that you support Ubuntu Xenial).

That said, I reckon you only need add some logic for adding the edge option to the apt repo and it would work. Docker docs state that 18.04 is supported but via "Docker CE 18.05 Edge and higher only".

https://docs.docker.com/install/linux/docker-ce/ubuntu/#os-requirements

To test I knocked up a role that used the following and it installed fine:

apt_repository:
  repo: "deb [arch=amd64] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable edge"

Would you consider a PR?

Recent versions of the docker setup script by Rancher has a 20sec sleep implemented when docker is already installed. This causes this role to block 20sec on each run once docker is set up.

Possible solution: Only run the "Execute docker setup script" step when no /usr/bin/docker is present.

This would also alleviate the issue that when the installed version is more recent than the default in this playbook, the playbook won't crash anymore (it currently does that because the script tries to downgrade docker which fails)

Unfortunately, commit 18c9997 seems to have broken the setup; when I try to apply this cookbook, I get

RUNNING HANDLER [mongrelion.docker : restart docker] ***************************
fatal: [ansible-host]: FAILED! => {"changed": false, "failed": true, "msg": "Unable to start service docker: Job for docker.service failed because the control process exited with error code. See \"systemctl status docker.service\" and \"journalctl -xe\" for details.\n"}

Apparently, this happens because docker_storagedriver doesn't get expanded:

[centos@ansible-target tmp]$ systemctl status docker.service -l
 docker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2017-02-08 14:55:52 UTC; 5min ago
     Docs: https://docs.docker.com
  Process: 23845 ExecStart=/usr/bin/docker daemon -H unix:///var/run/docker.sock -s {{ docker_storagedriver }} (code=exited, status=1/FAILURE)

(I'm just getting started with Ansible, so I'm not sure what exactly the root cause is - perhaps a missing $ in front of docker_storagedriver in files/docker.service ? )

docker daemon command is deprecated and comes only when the docker client is built with a special flag (see here)

Occured with the default setting (17.06) as well as the current 17.09.

Suggestions: as the error message suggests the service file should use the dockerd command instead of docker daemon.

I would like to dump an issue over at Rancher's repo instead but they don't accept new issues lol.

Either way.. my requirements.yml:

- src: mongrelion.docker
  version: a7040aa

playbook.yml:

roles:
- role: mongrelion.docker
  docker_version: '17.09'
  setup_script_md5_sum: 975145b3eeaf9efc588666bf46265d38
  vagrant: yes

This used to work just fine, but now it won't work anymore after I upgraded my Vagrant boxes to fso/arful64. I greatly suspect Rancher's installation script is broken for Ubuntu 17.10. The Docker installation fails when executing the script. I actually tried to run said installation script manually with the same result. These are the last 10 or so lines from the console output, and please note in particular the very last line:

[...]
+ sh -c apt-key add -
+ curl -fsSl https://download.docker.com/linux/ubuntu/gpg
OK
+ sh -c add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu artful stable"
+ [ ubuntu = debian ]
+ sh -c apt-get update
Hit:1 http://us.archive.ubuntu.com/ubuntu artful InRelease
Hit:2 http://security.ubuntu.com/ubuntu artful-security InRelease
Hit:3 http://us.archive.ubuntu.com/ubuntu artful-updates InRelease
Hit:4 https://download.docker.com/linux/ubuntu artful InRelease
Hit:5 http://us.archive.ubuntu.com/ubuntu artful-backports InRelease
Hit:6 http://ppa.launchpad.net/ansible/ansible/ubuntu artful InRelease
Reading package lists... Done
+ cut -d   -f 4
+ head -n 1
+ grep 17.09.0
+ apt-cache madison docker-ce
+ sh -c apt-get install -y -q docker-ce=
Reading package lists...
Building dependency tree...
Reading state information...
E: Version '' for 'docker-ce' was not found

Executing the "convenience scripts" provided today (2017-11-13) by https://get.docker.com (17.10.0-ce) and https://test.docker.com (17.11.0-ce-rc3, build 5b4af4f) works just fine.

So my current workaround is to switch the mongrelion.docker's setup_script_url to one of Docker's convenience scripts. I also set setup_script_md5_sum to false since these scripts are expected to change over time lol (thanx for adding that feature!).

Using external installation script is convenient but provides zero control over it. Also I don't think it is right way to use ansible.

Script could be rewritten to ansible tasks to provide more control over role as well as clearer output what this role does at the moment.
Here is one role from which tasks could be copy-pasted: https://github.com/SoInteractive/ansible-docker for better installation method.

Allow adding user or multiple users to docker system group for easy container management.

By default there should be no user added to docker group.

Hello, forgive me for my bad english.

I'm trying to activate the tcp listening over the daemon.json like this:

"hosts": [
    "unix:///var/run/docker.sock",
    "tcp://0.0.0.0:2375"
  ],

It's not working because the template start with:
ExecStart=/usr/bin/dockerd -H unix:///var/run/docker.sock

I have to modify the template with:
ExecStart=/usr/bin/dockerd

Found solution on https://docs.docker.com/config/daemon/

Is there another way to do the same withoud modifying the role ?

Thanks and great job !

Role should be tested by molecule also on fedora and centos.

This is currently blocked by #31

See: moby/moby#25098 (comment)

Here is the error I get:

RUNNING HANDLER [mongrelion.docker : restart docker] ***************************
fatal: [10.17.232.10]: FAILED! => {"changed": false, "failed": true, "msg": "Failed to start docker.service: Unit docker.socket failed to load: No such file or directory.\n"}

If I try to start docker from the commandline:

[root@greg-deploy-test ~]# systemctl start docker
Failed to start docker.service: Unit docker.socket failed to load: No such file or directory.

If I uninstall and reinstall docker-engine (thus not copying over the modified docker.service), docker starts just fine.

Is there a reason you override the docker.service that ships with docker-engine?