Reset connection after adding user(s) to docker group about ansible-docker HOT 9 OPEN

@magnusvikstrom v2.1.0 should have fixed the permission issue so that one task you have in between can be removed.

I'm still torn on adding the reset_connection task directly to this role. Ansible is already slow and adding this would slow it down more for a majority of folks who wouldn't need this to be set.

But I will keep this issue open to see where it goes.

from ansible-docker.

Hi,

What type of use case is this for?

Typically the way I've used this role is to install Docker and Docker Compose on a server, and then when I deploy my apps, I SSH in as a specific user that was added to docker__users, but this process is after I ran this role in a separate SSH connection, so it's already "reset".

Instead of a manual SSH deployment this could also be done with a git hook or through a CI server -- basically whatever you happen to use to trigger a deploy. In all cases these are separate connections to your server after this role gets run.

from ansible-docker.

My current playbook runs the role, copies over docker-compose and other configuration files then runs docker-compose up.

Not sure how common it is, perhaps just a mention in the documentation that when using docker__users you need to reset the connection before running docker commands or split up the initializing of the server from the rest of deployment is enough?

I've started noticing the issue when testing my ansible deployment on a vagrant machine that I'm destroying and recreating frequently.

from ansible-docker.

When you set a user as being part of the Docker group, this requires making a new connection to make it take effect with or without this role. This is just how it works at the Linux level.

Splitting up the server provisioning and deployment is enough on its own, but as you discovered, there are many ways to do app deployment.

Personally I never found Ansible to be suitable for handling the deploys themselves since it only responds after the entire work has been done, where as app deployment is very reactive. I want to see the output as it goes, so I choose to use git hooks and other non-Ansible methods for deployment.

But with that said, you could do the reset in your custom docker compose role as 1 option for now. That would be enough to get things working with your set up. Perhaps it is a documentation problem too, it wouldn't hurt to remind folks that you need to make a new connection in this Docker role.

from ansible-docker.

I recently started using ansible so not sure yet how the final deployment setup will work. Thanks for the suggestions though and for this role.

I did get it to work just by adding the reset ssh connection at the start of my tasks so its no showstopper. It took me some time to figure out though what was causing the issue and that's why I was thinking of mentioning it in the docs. I did look through the project issue list and was expecting to see others mentioning this issue, but didn't so guess its not that frequently occurring.

Anyway if you would like to add something to the README it could go into the "Working with Ansible's docker_* modules" section and look something like this:

When using docker_* modules in your own roles or playbook in combination with the docker__users variable (section https://github.com/nickjj/ansible-docker#configuring-users-to-run-docker-without-root) you need to reset the ansible connection after the ansible_docker role has run. You will otherwise get docker permission errors.

This can be done by using the meta module reset_connection task as follows (note that this requires at least ansible version 2.5.8):

 - name: Reset ssh connection to allow user added to docker group in the docker role to take effect.
   meta: reset_connection

from ansible-docker.

No problem.

I think a natural spot for this would be to write something after the code example at https://github.com/nickjj/ansible-docker#configuring-users-to-run-docker-without-root.

Something like:

If you plan to run your own custom Docker related roles which depend on executing Docker commands as a user that was defined in docker__users then you must reset your SSH connection in 1 of 2 ways.

The first way (recommended) would be to decouple server creation and app deployment, in which case the SSH connection will be reset automatically since you would be SSH'ing into your server after Ansible has run its course to provision the server.

The second way would be to add a task to your custom Docker role to reset the SSH connection mid-Ansible run. You only need to do this if you plan to run Docker commands as the same user defined in docker__users during the same playbook run.

You can do that like so:

 - name: Reset SSH connection so the Docker user can run Docker commands
   meta: "reset_connection"

This overall behavior isn't a limitation of this role. It's just how Linux permissions work.

from ansible-docker.

Well put, now its quite clear. Also good idea to have it in the section you most likely read before getting into this situation.

from ansible-docker.

I hit exactly the same problem and I am wondering whether the reset_connection shouldn't be done in this role. The thing is we install docker via this role and afterwards in the playbook we start some Docker containers. These containers are started via some roles and adding a reset_connection between roles is not possible (at least not without introducing an intermediate role).

from ansible-docker.

I ended up with a role that includes this role:

<omitted some initial tasks, making sure universe is enabled and updating apt cache>

    - name: Include docker role
      include_role:
        name: "nickjj.docker"
        apply:
          tags: ["docker"]
          become: yes
          # Prevent the docker_login task in the role from printing sensitive data
          no_log: true

    # The docker role runs as root resulting in the docker config directory (specified in docker_config var) and file (specified in docker_config_path = item.config_path) produced when it runs docker login belonging to root
    # Changing ownership to ansible user so that docker-compose can access the file
    - name: Set docker config directory ownership to ansible user
      file:
        path: "{{ item.config_path | dirname }}"
        state: directory
        owner: "{{ ansible_user }}"
        group: "{{ ansible_user }}"
        recurse: yes
      become: yes
      loop: "{{ docker__registries }}"

    - name: Reset ssh connection to allow user added to docker group in the docker role to take effect.
      meta: reset_connection
` ` ` 

from ansible-docker.