├── requirements.yml
├── tasks
├── checks.yml
├── bug-tweaks.yml
├── setup-repository.yml
├── configure-docker
│ ├── configure-non-systemd.yml
│ ├── configure-systemd.yml
│ └── configure-docker-plugins.yml
├── checks
│ ├── compatibility-checks.yml
│ └── distribution-checks.yml
├── setup-audit.yml
├── install-docker.yml
├── bug-tweaks
│ └── bug-centos7-resource-busy.yml
├── configure-docker.yml
├── setup-repository-RedHat.yml
├── setup-repository-Debian.yml
├── remove-docker.yml
├── main.yml
└── postinstall.yml
├── .editorconfig
├── templates
├── drop-ins
│ └── default.conf.j2
└── docker-envs.j2
├── .gitignore
├── .gitattributes
├── .ansible-lint
├── files
└── etc
│ └── audit
│ └── rules.d
│ └── docker.rules
├── handlers
└── main.yml
├── meta
└── main.yml
├── LICENSE
├── DOCKER_CE_MATRIX.md
├── vars
└── main.yml
├── defaults
└── main.yml
├── README.md
└── CHANGELOG.md
/requirements.yml:
--------------------------------------------------------------------------------
1 | ---
2 | collections:
3 | - community.general
4 | - ansible.posix
5 |
--------------------------------------------------------------------------------
/tasks/checks.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Distribution checks
3 | ansible.builtin.include_tasks: checks/distribution-checks.yml
4 |
5 | - name: Compatibility checks
6 | ansible.builtin.include_tasks: checks/compatibility-checks.yml
7 |
--------------------------------------------------------------------------------
/.editorconfig:
--------------------------------------------------------------------------------
1 | [*]
2 | end_of_line = lf
3 |
4 | [*.{py,yaml,yml,sh,json}]
5 | indent_style = space
6 | indent_size = 2
7 |
8 | [*.{yaml,yml}]
9 | insert_final_newline = true
10 |
11 | [.ansible-lint]
12 | insert_final_newline = true
--------------------------------------------------------------------------------
/templates/drop-ins/default.conf.j2:
--------------------------------------------------------------------------------
1 | # {{ ansible_managed }}
2 | [Service]
3 | EnvironmentFile=-{{ systemd_envs_dir }}/docker-envs
4 | ExecStart=
5 | ExecStart=/usr/bin/dockerd $DOCKER_OPTS
6 | {% for option in systemd_service_conf %}
7 | {{ option }}
8 | {% endfor %}
--------------------------------------------------------------------------------
/tasks/bug-tweaks.yml:
--------------------------------------------------------------------------------
1 | - name: Configuration to avoid 'Device or resource busy' (CentOS/RedHat)
2 | when:
3 | - _docker_os_dist == "CentOS" or _docker_os_dist == "RedHat"
4 | - ansible_kernel is version_compare('4', '<')
5 | ansible.builtin.include_tasks: bug-tweaks/bug-centos7-resource-busy.yml
6 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | *.log
2 | *.retry
3 | *.vdi
4 | /.cache
5 | /.project
6 | /.vscode
7 | /tests/.vagrant
8 | /tests/scripts/yamlparser.sh.inc
9 | /tests/test-dbg.sh
10 | /tests/unversioned
11 | /tests/vagrant_testcase.yml
12 | /tests/yaml.sh
13 | /tests/yamlparser.sh.inc
14 | /.env
15 | /.env-linux
16 | /.ansible
--------------------------------------------------------------------------------
/templates/docker-envs.j2:
--------------------------------------------------------------------------------
1 | # {{ ansible_managed }}
2 | {% for key, value in docker_envs.items()|list %}
3 | {{ key }}="{{ value }}"
4 | {% endfor %}
5 |
6 | {% if not _docker_systemd_used and (docker_envs.items()|list)|length > 0 %}
7 | export{% for key, value in docker_envs.items()|list %} {{ key }}{% endfor %}
8 | {% endif %}
--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | # Set the default behavior, in case people don't have core.autocrlf set.
2 | * text=auto
3 |
4 | # Declare files that will always have LF line endings on checkout.
5 | *.sh text eol=lf
6 | *.yml text eol=lf
7 | *.json text eol=lf
8 | *.j2 text eol=lf
9 |
10 | # Do not export github and test related files to archive
11 | .github/ export-ignore
12 | tests/ export-ignore
13 |
--------------------------------------------------------------------------------
/.ansible-lint:
--------------------------------------------------------------------------------
1 | warn_list:
2 | - 'no-handler' # https://ansible-lint.readthedocs.io/rules/no-handler/
3 | - 'ignore-errors' # https://ansible-lint.readthedocs.io/rules/ignore-errors/
4 | - 'command-instead-of-module' # https://ansible-lint.readthedocs.io/rules/command-instead-of-module/
5 | - 'args[module]' # service 'use' reported as error but should be valid: https://ansible-lint.readthedocs.io/rules/args/
6 | skip_list:
7 | - yaml
8 | exclude_paths:
9 | - tests/
10 | - .ansible/
11 | - .env/
12 | - .env-linux/
13 |
--------------------------------------------------------------------------------
/files/etc/audit/rules.d/docker.rules:
--------------------------------------------------------------------------------
1 | -c
2 | -w /usr/bin/docker -k docker
3 | -w /var/lib/docker -k docker
4 | -w /etc/docker -k docker
5 | -w /usr/lib/systemd/system/docker.service -k docker
6 | -w /usr/lib/systemd/system/docker.socket -k docker
7 | -w /etc/default/docker -k docker
8 | -w /var/run/docker.sock -k docker
9 | -w /var/run/docker/libcontainerd/docker-containerd.sock -k docker
10 | -w /etc/docker/daemon.json -k docker
11 | -w /usr/bin/docker-containerd -k docker
12 | -w /usr/bin/docker-runc -k docker
13 | -w /usr/bin/containerd -k docker
14 | -w /usr/bin/dockerd -k docker
--------------------------------------------------------------------------------
/tasks/setup-repository.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Include setup repository tasks for distribution variety {{ _docker_os_dist_file_varity }}
3 | when: _docker_os_dist != "Amazon"
4 | ansible.builtin.include_tasks: setup-repository-{{ _docker_os_dist_file_varity }}.yml
5 |
6 | - name: Update repository cache
7 | when: docker_network_access | bool
8 | become: true
9 | ansible.builtin.shell: "{{ docker_cmd_update_repo_cache[_docker_os_dist] | default(docker_cmd_update_repo_cache[_docker_os_dist_file_varity]) }}"
10 | changed_when: false
11 | register: _result
12 | until: _result is succeeded
13 | tags:
14 | - skip_ansible_lint
15 |
--------------------------------------------------------------------------------
/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # handlers file for ansible-role-docker-ce
3 |
4 | - name: Restart docker
5 | become: true
6 | ansible.builtin.service:
7 | use: "{{ docker_x_service_mgr }}"
8 | name: docker
9 | state: restarted
10 | tags: ["install", "configure"]
11 |
12 | - name: Reload docker
13 | become: true
14 | ansible.builtin.service:
15 | use: "{{ docker_x_service_mgr }}"
16 | name: docker
17 | state: reloaded
18 | tags: ["install", "configure"]
19 |
20 | # Workaround because systemd cannot be used: https://github.com/ansible/ansible/issues/22171
21 | - name: Restart auditd
22 | become: true
23 | ansible.builtin.command: service auditd restart
24 | tags: ["install", "configure", "skip_ansible_lint"]
25 |
--------------------------------------------------------------------------------
/tasks/configure-docker/configure-non-systemd.yml:
--------------------------------------------------------------------------------
1 | - name: Combine Docker daemon environment variable configuration
2 | ansible.builtin.set_fact:
3 | _docker_service_envs: "{{ _docker_service_envs | combine(_docker_service_opts) | combine(docker_daemon_envs) }}"
4 | vars:
5 | _docker_service_opts:
6 | DOCKER_OPTS: "{{ docker_daemon_opts }}"
7 |
8 | - name: Setup Docker environment file in directory {{ docker_envs_dir[_docker_os_dist_file_varity] }}
9 | become: true
10 | ansible.builtin.template:
11 | src: docker-envs.j2
12 | dest: "{{ docker_envs_dir[_docker_os_dist_file_varity] }}/docker"
13 | owner: root
14 | group: root
15 | mode: 0644
16 | register: _docker_non_systemd_envs
17 | vars:
18 | docker_envs: "{{ _docker_service_envs }}"
19 |
20 | - name: Docker daemon restart is required
21 | when: _docker_non_systemd_envs is changed
22 | ansible.builtin.set_fact:
23 | _docker_restart_required: true
24 | tags:
25 | - skip_ansible_lint
26 |
--------------------------------------------------------------------------------
/tasks/checks/compatibility-checks.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # https://github.com/moby/moby/issues/35873
3 | # https://access.redhat.com/solutions/2991041
4 | - name: Compatibility check - Fail if both MountFlags=slave and live-restore are set
5 | when:
6 | - docker_enable_mount_flag_fix | bool
7 | - docker_daemon_config['live-restore'] is defined
8 | - docker_daemon_config['live-restore']
9 | ansible.builtin.fail:
10 | msg: >
11 | Setting both `MountFlags=slave` (docker_enable_mount_flag_fix: true)
12 | and `live-restore=true` (docker_daemon_config['live-restore']: true)
13 | triggers a bug (https://github.com/moby/moby/issues/35873). For now,
14 | don't use both.
15 |
16 | - name: Compatibility check - Fail if trying to install Docker SDK or Docker Stack in Amazon Linux
17 | when:
18 | - _docker_os_dist == "Amazon"
19 | - (docker_sdk | bool) or (docker_stack | bool)
20 | ansible.builtin.fail:
21 | msg: >
22 | Setting `docker_sdk` or `docker_stack` to true is not supported
23 | by this role for Amazon Linux due to library dependency issues.
24 |
--------------------------------------------------------------------------------
/meta/main.yml:
--------------------------------------------------------------------------------
1 | galaxy_info:
2 | role_name: docker_ce
3 | namespace: haxorof
4 | author: Bjorn Oscarsson
5 | company: none
6 | description: "Installs and configures Docker Community Edition (CE) on AlmaLinux/Rocky/CentOS/Fedora/RHEL/Ubuntu/Debian/Mint/Raspbian"
7 | min_ansible_version: "2.16"
8 | license: MIT
9 | platforms:
10 | - name: Amazon Linux
11 | versions:
12 | - "2"
13 | - "2023"
14 |
15 | - name: Fedora
16 | versions:
17 | - "36"
18 | - "37"
19 | - "38"
20 |
21 | - name: EL
22 | versions:
23 | - "7"
24 | - "8"
25 | - "9"
26 |
27 | - name: Debian
28 | versions:
29 | - bullseye
30 | - bookworm
31 | - trixie
32 |
33 | - name: Rocky
34 | versions:
35 | - all
36 |
37 | - name: Ubuntu
38 | versions:
39 | - focal
40 | - jammy
41 | - noble
42 |
43 | galaxy_tags:
44 | - docker
45 | - containers
46 | - virtualization
47 | - compose
48 | - orchestration
49 | - system
50 |
51 | dependencies: []
52 |
--------------------------------------------------------------------------------
/tasks/checks/distribution-checks.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Fail if this role does not support the distribution
3 | when: _docker_os_dist not in _supported_distributions
4 | ansible.builtin.fail:
5 | msg: "Distribution {{ _docker_os_dist }} is not supported by this role!"
6 | vars:
7 | _supported_distributions:
8 | - Amazon
9 | - AlmaLinux
10 | - CentOS
11 | - Debian
12 | - Fedora
13 | - RedHat
14 | - Ubuntu
15 | - Rocky
16 |
17 | - name: Fail if kernel version is lower than 3.10
18 | when: ansible_kernel is version_compare("3.10", '<')
19 | ansible.builtin.fail:
20 | msg: "Kernel version 3.10 or later is required!"
21 |
22 | - name: Fail if unsupported version for distribution
23 | when:
24 | - _docker_os_dist in _version_checks
25 | - _docker_os_dist_major_version | int < _version_checks[_docker_os_dist]
26 | ansible.builtin.fail:
27 | msg: "{{ _docker_os_dist }} _version_checks[_docker_os_dist] or later is required!"
28 | vars:
29 | _version_checks:
30 | CentOS: 7
31 | Debian: 7
32 | Fedora: 24
33 | RedHat: 7
34 | Ubuntu: 14
35 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2017 Björn Oscarsson
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/tasks/setup-audit.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Ensure auditd is installed
3 | when:
4 | - docker_enable_audit | bool
5 | - docker_network_access | bool
6 | - _docker_os_dist == "Ubuntu" or _docker_os_dist == "Debian"
7 | become: true
8 | ansible.builtin.package:
9 | name: auditd
10 | state: present
11 | allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}"
12 | disable_gpg_check: "{{ docker_disable_gpg_check if ansible_pkg_mgr in ['rpm', 'yum', 'dnf', 'dnf5', 'zypper'] else omit }}"
13 | register: _pkg_result
14 | until: _pkg_result is succeeded
15 |
16 | - name: Copy Docker audit rules
17 | when: docker_enable_audit | bool
18 | become: true
19 | ansible.builtin.copy:
20 | src: files/etc/audit/rules.d/docker.rules
21 | dest: /etc/audit/rules.d/docker.rules
22 | owner: root
23 | group: root
24 | mode: 0644
25 | notify: Restart auditd
26 |
27 | - name: Ensure Docker audit rules are removed
28 | when: not docker_enable_audit | bool
29 | become: true
30 | ansible.builtin.file:
31 | path: /etc/audit/rules.d/docker.rules
32 | state: absent
33 | notify: Restart auditd
34 |
--------------------------------------------------------------------------------
/tasks/install-docker.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Set version string
3 | when: docker_version | length > 0
4 | ansible.builtin.set_fact:
5 | _docker_version_string: "{{ docker_os_pkg_version_separator[_docker_os_dist_file_varity] }}{{ docker_version }}"
6 |
7 | - name: Set packages state to latest
8 | when: docker_latest_version | bool and docker_version | length == 0
9 | ansible.builtin.set_fact:
10 | _docker_pkg_state: "latest"
11 |
12 | - name: Handle Amazon Linux 2/2023 Docker package
13 | when:
14 | - _docker_packages is not defined
15 | - _docker_os_dist == "Amazon"
16 | ansible.builtin.set_fact:
17 | _docker_packages:
18 | - docker
19 |
20 | - name: Do workaround to handle CentOS/RHEL 8 installation issues
21 | when:
22 | - _docker_packages is not defined
23 | - docker_x_redhat_centos_8_workaround | bool
24 | - _docker_os_dist == "CentOS" or _docker_os_dist == "RedHat"
25 | - _docker_os_dist_major_version | int > 7
26 | ansible.builtin.set_fact:
27 | _docker_packages:
28 | - "{{ docker_x_redhat_centos_8_containerd_rpm }}"
29 | - docker-ce-cli
30 | - docker-ce
31 |
32 | - name: Ensure Docker CE is installed
33 | become: true
34 | ansible.builtin.package:
35 | name: "{{ (item is search('docker-ce')) | ternary((item + _docker_version_string | default('')), item) }}"
36 | state: "{{ _docker_pkg_state | default('present') }}"
37 | allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}"
38 | disable_gpg_check: "{{ docker_disable_gpg_check if ansible_pkg_mgr in ['rpm', 'yum', 'dnf', 'dnf5', 'zypper'] else omit }}"
39 |
40 | loop: "{{ _docker_packages | default(docker_packages) }}"
41 | register: _docker_pkg_result
42 | retries: 6
43 | until: _docker_pkg_result is succeeded
44 |
45 | - name: Docker daemon restart is required
46 | when: _docker_pkg_result is changed
47 | ansible.builtin.set_fact:
48 | _docker_restart_required: true
49 | tags:
50 | - skip_ansible_lint
51 |
--------------------------------------------------------------------------------
/tasks/configure-docker/configure-systemd.yml:
--------------------------------------------------------------------------------
1 | - name: Combine all systemd service configuration options
2 | ansible.builtin.set_fact:
3 | _systemd_service_config: "{{ _docker_systemd_service_config_tweaks + docker_systemd_service_config }}"
4 |
5 | - name: Ensure /etc/systemd/system/docker.service.d directory exists
6 | become: true
7 | ansible.builtin.file:
8 | path: /etc/systemd/system/docker.service.d
9 | state: directory
10 | mode: 0755
11 |
12 | - name: Setup default Docker drop-in to enable use of environment file
13 | become: true
14 | ansible.builtin.template:
15 | src: drop-ins/default.conf.j2
16 | dest: /etc/systemd/system/docker.service.d/default.conf
17 | owner: root
18 | group: root
19 | mode: 0644
20 | register: _docker_systemd_docker_dropin
21 | vars:
22 | systemd_envs_dir: "{{ docker_envs_dir[_docker_os_dist_file_varity] }}"
23 | systemd_service_conf: "{{ _systemd_service_config }}"
24 |
25 | - name: Combine Docker daemon environment variable configuration
26 | ansible.builtin.set_fact:
27 | _docker_service_envs: "{{ _docker_service_envs | combine(_docker_service_opts) | combine(docker_daemon_envs) }}"
28 | vars:
29 | _docker_service_opts:
30 | DOCKER_OPTS: "{{ docker_daemon_opts }}"
31 |
32 | - name: Setup Docker environment file in directory {{ docker_envs_dir[_docker_os_dist_file_varity] }}
33 | become: true
34 | ansible.builtin.template:
35 | src: docker-envs.j2
36 | dest: "{{ docker_envs_dir[_docker_os_dist_file_varity] }}/docker-envs"
37 | owner: root
38 | group: root
39 | mode: 0644
40 | register: _docker_systemd_envs
41 | vars:
42 | docker_envs: "{{ _docker_service_envs }}"
43 |
44 | - name: Force daemon reload of systemd
45 | when: _docker_systemd_docker_dropin is changed
46 | become: true
47 | ansible.builtin.systemd:
48 | daemon_reload: true
49 | tags:
50 | - skip_ansible_lint
51 |
52 | - name: Docker daemon restart is required
53 | when: (_docker_systemd_docker_dropin is changed) or (_docker_systemd_envs is changed)
54 | ansible.builtin.set_fact:
55 | _docker_restart_required: true
56 |
--------------------------------------------------------------------------------
/tasks/bug-tweaks/bug-centos7-resource-busy.yml:
--------------------------------------------------------------------------------
1 | - name: Stat /proc/sys/fs/may_detach_mounts (CentOS/RedHat)
2 | ansible.builtin.stat:
3 | path: /proc/sys/fs/may_detach_mounts
4 | register: _may_detach_mounts
5 | check_mode: false
6 |
7 | - name: Ensure fs.may_detach_mounts is set to avoid 'Device or resource busy' (CentOS/RedHat)
8 | when:
9 | - docker_enable_mount_flag_fix | bool
10 | - _may_detach_mounts.stat.exists
11 | become: true
12 | ansible.posix.sysctl:
13 | name: fs.may_detach_mounts
14 | value: "1"
15 | sysctl_file: /etc/sysctl.d/99-docker.conf
16 | reload: true
17 |
18 | - name: Stat /etc/sysctl.d/99-docker.conf (CentOS/RedHat)
19 | when:
20 | - not docker_enable_mount_flag_fix | bool
21 | ansible.builtin.stat:
22 | path: /etc/sysctl.d/99-docker.conf
23 | register: _sysctl_docker
24 | check_mode: false
25 |
26 | - name: Unset fs.may_detach_mounts (CentOS/RedHat)
27 | when:
28 | - not docker_enable_mount_flag_fix | bool
29 | - _sysctl_docker.stat.exists
30 | become: true
31 | ansible.posix.sysctl:
32 | name: fs.may_detach_mounts
33 | value: "0"
34 | sysctl_file: /etc/sysctl.d/99-docker.conf
35 | reload: true
36 |
37 | # Keep for compatibility reasons of this role. Now everything is in the same file.
38 | - name: Remove systemd drop-in for Docker Mount Flags slave configuration (CentOS/RedHat)
39 | become: true
40 | ansible.builtin.file:
41 | path: /etc/systemd/system/docker.service.d/mountflags-slave.conf
42 | state: absent
43 | register: _docker_old_mountflag_fix
44 |
45 | - name: Docker daemon restart is required
46 | when: _docker_old_mountflag_fix is changed
47 | ansible.builtin.set_fact:
48 | _docker_restart_required: true
49 | tags:
50 | - skip_ansible_lint
51 |
52 | - name: Set MountFlags option to "slave" to prevent "device busy" errors on CentOS/RedHat 7.3 kernels (CentOS/RedHat)
53 | when:
54 | - docker_enable_mount_flag_fix | bool
55 | ansible.builtin.set_fact:
56 | _docker_systemd_service_config_tweaks: "{{ _docker_systemd_service_config_tweaks + \
57 | _systemd_service_config_tweaks }}"
58 | vars:
59 | _systemd_service_config_tweaks:
60 | - 'MountFlags=slave'
61 |
--------------------------------------------------------------------------------
/tasks/configure-docker/configure-docker-plugins.yml:
--------------------------------------------------------------------------------
1 | - name: Ensure Docker daemon is started/restarted # noqa: args[module]
2 | become: true
3 | ansible.builtin.service:
4 | name: docker
5 | state: "{{ _docker_restart_required | ternary('restarted', 'started') }}"
6 |
7 | - name: Wait for Docker daemon to started
8 | become: true
9 | ansible.builtin.shell: docker info
10 | register: _docker_info
11 | until: _docker_info.rc == 0
12 | retries: 10
13 | changed_when: false
14 | tags:
15 | - skip_ansible_lint
16 |
17 | - name: Install Docker plugins
18 | become: true
19 | ansible.builtin.shell: "(docker plugin install --grant-all-permissions --alias {{ item.alias | default(item.name) }} {{ item.name }} {{ item.args | default('') }} \
20 | && echo 'installed') || echo 'nop'"
21 | loop: "{{ docker_plugins }}"
22 | register: _docker_plugin_install
23 | changed_when: _docker_plugin_install.stdout_lines | last == 'installed'
24 | when:
25 | - docker_network_access | bool
26 |
27 | - name: Reset list of authorization plugins
28 | ansible.builtin.set_fact:
29 | _authz_plugins: []
30 |
31 | - name: Create list of authorization plugins
32 | ansible.builtin.set_fact:
33 | _authz_plugins: "{{ _authz_plugins + [item.alias | default(item.name)] }}"
34 | loop: "{{ docker_plugins }}"
35 | when:
36 | - item.type == 'authz'
37 |
38 | - name: Update Docker daemon configuration with authorization plugins
39 | ansible.builtin.set_fact:
40 | _docker_daemon_config: "{{ docker_daemon_config | combine(_updated_item, recursive=true) }}"
41 | vars:
42 | _updated_item: "{ 'authorization-plugins': {{ _authz_plugins | list }} }"
43 |
44 | - name: Update Docker daemon (variables)
45 | when:
46 | - docker_daemon_config_file is not defined
47 | - docker_daemon_config is defined
48 | become: true
49 | ansible.builtin.copy:
50 | content: "{{ _docker_daemon_config | to_nice_json }}"
51 | dest: /etc/docker/daemon.json
52 | owner: root
53 | group: root
54 | mode: 0644
55 | register: _docker_config_var_plugin
56 |
57 | - name: Docker daemon restart is required
58 | when: _docker_config_var_plugin is changed
59 | ansible.builtin.set_fact:
60 | _docker_restart_required: true
61 | tags:
62 | - skip_ansible_lint
63 |
--------------------------------------------------------------------------------
/DOCKER_CE_MATRIX.md:
--------------------------------------------------------------------------------
1 | # Docker CE Support Matrix
2 |
3 | | # | 27.0 | 26.0 |
4 | |--------|-----------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|
5 | | CentOS | 9 (stream) | 7
8 (stream)
9 (stream) |
6 | | Debian | Bookworm 12 (stable)
Bullseye 11 (oldstable)
32-bit Raspberry Pi OS Bookworm 12 (stable)32-bit Raspberry Pi OS Bullseye 11 (oldstable) | Bookworm 12 (stable)
Bullseye 11 (oldstable)
32-bit Raspberry Pi OS Bookworm 12 (stable)32-bit Raspberry Pi OS Bullseye 11 (oldstable) |
7 | | Fedora | 39
40 | 38
39
40 |
8 | | Ubuntu | Ubuntu Noble 24.04 (LTS)
Ubuntu Mantic 23.10
Ubuntu Jammy 22.04 (LTS)
Ubuntu Focal 20.04 (LTS) | Ubuntu Noble 24.04 (LTS)
Ubuntu Mantic 23.10
Ubuntu Jammy 22.04 (LTS)
Ubuntu Focal 20.04 (LTS) |
9 | | RHEL |
8
9 | 7 on s390x (IBM Z)
8 on s390x (IBM Z)
9 on s390x (IBM Z) |
10 | | SLES | SLES 15-SP4 on s390x (IBM Z)
SLES 15-SP5 on s390x (IBM Z) | SLES 15-SP4 on s390x (IBM Z)
SLES 15-SP5 on s390x (IBM Z) |
--------------------------------------------------------------------------------
/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for ansible-role-docker-ce
3 | docker_repository_related_rpm_packages:
4 | yum:
5 | - yum-utils
6 | dnf:
7 | # Includes dnf config-manager
8 | - dnf-plugins-core
9 | dnf5:
10 | # Includes dnf config-manager
11 | - dnf5-plugins
12 |
13 | docker_repository_related_packages:
14 | RedHat: "{{ (ansible_pkg_mgr in ['yum', 'dnf', 'dnf5']) | ansible.builtin.ternary(docker_repository_related_rpm_packages[ansible_pkg_mgr], []) }}"
15 | Debian:
16 | - apt-transport-https
17 | - ca-certificates
18 | - curl
19 | - gnupg2
20 |
21 | docker_repository_related_packages_addons:
22 | Debian:
23 | - software-properties-common
24 |
25 | docker_repository_url_rpm:
26 | RedHat: https://download.docker.com/linux/rhel/docker-ce.repo
27 | CentOS: https://download.docker.com/linux/centos/docker-ce.repo
28 | Fedora: https://download.docker.com/linux/fedora/docker-ce.repo
29 |
30 | docker_channels:
31 | - stable
32 | - test
33 |
34 | docker_cmd_enable_disable_rpm_repo:
35 | yum: yum-config-manager --{{ (_item_enabled == true) | ternary('enable', 'disable') }} docker-ce-{{ item }}
36 | dnf: dnf config-manager --set-{{ (_item_enabled == true) | ternary('enabled', 'disabled') }} docker-ce-{{ item }}
37 | dnf5: dnf config-manager setopt docker-ce-{{ item }}.enabled={{ (_item_enabled == true) | ternary('1', '0') }}
38 |
39 | docker_cmd_update_rpm_repo_cache:
40 | yum: yum makecache
41 | dnf: dnf makecache
42 | dnf5: dnf makecache
43 |
44 | docker_cmd_update_repo_cache:
45 | RedHat: "{{ (ansible_pkg_mgr in ['yum', 'dnf', 'dnf5']) | ansible.builtin.ternary(docker_cmd_update_rpm_repo_cache[ansible_pkg_mgr], []) }}"
46 | Debian: apt-get update
47 |
48 | docker_envs_dir:
49 | RedHat: /etc/sysconfig
50 | Debian: /etc/default
51 |
52 | docker_packages:
53 | - docker-ce-cli
54 | - docker-ce
55 | - containerd.io
56 | - docker-buildx-plugin
57 | - docker-compose-plugin
58 |
59 | docker_os_pkg_version_separator:
60 | RedHat: "-"
61 | Debian: "="
62 |
63 | docker_old_packages:
64 | RedHat:
65 | - docker
66 | - docker-client
67 | - docker-client-latest
68 | - docker-common
69 | - docker-latest
70 | - docker-latest-logrotate
71 | - docker-logrotate
72 | - docker-selinux
73 | - docker-engine-selinux
74 | - docker-engine
75 | - docker-rhel-*-plugin
76 | Debian:
77 | - docker
78 | - docker-engine
79 | - docker.io
80 | - containerd
81 | - runc
82 |
83 | docker_python2_build_os_pkgs:
84 | Debian:
85 | - python-dev
86 | - libffi-dev
87 | - libssl-dev
88 | Fedora:
89 | - python-devel
90 | - openssl-devel
91 | - redhat-rpm-config
92 | - libffi-devel
93 | RedHat:
94 | - python-devel
95 | - openssl-devel
96 |
97 | docker_python3_build_os_pkgs:
98 | Debian:
99 | - libffi-dev
100 | - libssl-dev
101 | Fedora:
102 | - python3-devel
103 | - openssl-devel
104 | - redhat-rpm-config
105 | - libffi-devel
106 | RedHat:
107 | - python3-devel
108 | - openssl-devel
109 |
110 | docker_predefined_packages_os:
111 | Debian:
112 | sdk:
113 | - python3-docker
114 | stack:
115 | - python3-jsondiff
116 | - python3-yaml
117 |
118 | docker_predefined_packages_pip:
119 | RedHat:
120 | sdk:
121 | - docker{{'<5' if ansible_python_version is version('3', '<') }}
122 | stack:
123 | - jsondiff
124 | - pyyaml
125 |
126 | docker_cli_plugins_dir:
127 | RedHat: /usr/libexec/docker/cli-plugins
128 | Debian: /usr/libexec/docker/cli-plugins
129 |
--------------------------------------------------------------------------------
/tasks/configure-docker.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # https://wiki.ubuntu.com/SystemdForUpstartUsers
3 | # Important! systemd is only fully supported in Ubuntu 15.04 and later releases
4 | - name: Determine usage of systemd
5 | become: true
6 | ansible.builtin.shell: "ps -p1 | grep systemd 1>/dev/null && echo systemd || echo upstart"
7 | changed_when: false
8 | check_mode: false
9 | register: _determine_systemd_usage
10 | tags:
11 | - skip_ansible_lint
12 |
13 | - name: Set fact to indicate systemd is used or not
14 | ansible.builtin.set_fact:
15 | _docker_systemd_used: "{{ _determine_systemd_usage is defined and _determine_systemd_usage.stdout == 'systemd' }}"
16 |
17 | - name: Configure systemd service
18 | when: _docker_systemd_used | bool
19 | ansible.builtin.include_tasks: configure-docker/configure-systemd.yml
20 |
21 | - name: Configure non-systemd service
22 | when: not _docker_systemd_used | bool
23 | ansible.builtin.include_tasks: configure-docker/configure-non-systemd.yml
24 |
25 | - name: Ensure /etc/docker directory exists
26 | become: true
27 | ansible.builtin.file:
28 | path: /etc/docker
29 | state: directory
30 | mode: 0755
31 |
32 | - name: Configure Docker daemon (file)
33 | when: docker_daemon_config_file is defined
34 | become: true
35 | ansible.builtin.copy:
36 | src: "{{ docker_daemon_config_file }}"
37 | dest: /etc/docker/daemon.json
38 | owner: root
39 | group: root
40 | mode: 0644
41 | register: _docker_config_file
42 |
43 | - name: Configure Docker daemon (variables)
44 | when:
45 | - docker_daemon_config_file is not defined
46 | - docker_daemon_config is defined
47 | become: true
48 | ansible.builtin.copy:
49 | content: "{{ docker_daemon_config | to_nice_json }}"
50 | dest: /etc/docker/daemon.json
51 | owner: root
52 | group: root
53 | mode: 0644
54 | register: _docker_config_var
55 |
56 | - name: Ensure Docker default user namespace is defined in subuid and subgid
57 | when: (_docker_os_dist == "CentOS" or _docker_os_dist == "RedHat") and
58 | ((docker_daemon_config is defined and
59 | docker_daemon_config['userns-remap'] is defined and
60 | docker_daemon_config['userns-remap'] == 'default') or
61 | docker_bug_usermod | bool)
62 | become: true
63 | ansible.builtin.lineinfile:
64 | path: "{{ item }}"
65 | regexp: '^dockremap'
66 | line: 'dockremap:500000:65536'
67 | loop:
68 | - /etc/subuid
69 | - /etc/subgid
70 |
71 | - name: Ensure Docker users are added to the docker group
72 | become: true
73 | ansible.builtin.user:
74 | name: "{{ item }}"
75 | groups: docker
76 | append: true
77 | loop: "{{ docker_users }}"
78 |
79 | - name: Enable Docker service
80 | become: true
81 | ansible.builtin.service:
82 | use: "{{ docker_x_service_mgr }}"
83 | name: docker
84 | enabled: true
85 | register: _docker_service
86 |
87 | - name: Docker daemon restart is required
88 | when: (
89 | _docker_service.status is defined
90 | and _docker_service.status.SubState is defined
91 | and _docker_service.status.SubState != "running"
92 | ) or (
93 | _docker_config_file is changed
94 | or _docker_config_var is changed
95 | )
96 | ansible.builtin.set_fact:
97 | _docker_restart_required: true
98 |
99 | - name: Install and configure Docker plugins
100 | when: docker_plugins | length > 0
101 | ansible.builtin.include_tasks: configure-docker/configure-docker-plugins.yml
102 |
103 | - name: Trigger restart of Docker daemon
104 | when: _docker_restart_required | bool
105 | become: true
106 | ansible.builtin.service:
107 | use: "{{ docker_x_service_mgr }}"
108 | name: docker
109 | state: restarted
110 |
111 | - name: Ensure Docker daemon is running
112 | become: true
113 | ansible.builtin.service:
114 | use: "{{ docker_x_service_mgr }}"
115 | name: docker
116 | state: started
117 |
--------------------------------------------------------------------------------
/tasks/setup-repository-RedHat.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Ensure python and deps for Ansible modules
3 | when:
4 | - docker_network_access | bool
5 | - _docker_os_dist == "Fedora"
6 | - not _docker_python3
7 | become: true
8 | ansible.builtin.raw: dnf install -y python2 python2-dnf libselinux-python
9 | changed_when: false
10 |
11 | - name: Ensure packages are installed for repository setup
12 | when:
13 | - docker_network_access | bool
14 | - docker_install_setup_repos_dependencies | bool
15 | become: true
16 | ansible.builtin.package:
17 | name: "{{ item }}"
18 | state: present
19 | allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}"
20 | disable_gpg_check: "{{ docker_disable_gpg_check if ansible_pkg_mgr in ['rpm', 'yum', 'dnf', 'dnf5', 'zypper'] else omit }}"
21 | loop: "{{ docker_repository_related_packages[_docker_os_dist_file_varity] }}"
22 | register: _pkg_result
23 | until: _pkg_result is succeeded
24 |
25 | - name: Determine channels to be enabled and/or disabled
26 | ansible.builtin.set_fact:
27 | _docker_disable_channels: "{{ docker_channels | difference(_docker_merged_channels) }}"
28 | _docker_enable_channels: "{{ docker_channels | intersect(_docker_merged_channels) }}"
29 | vars:
30 | _docker_mandatory_channel: []
31 | _docker_merged_channels: "{{ _docker_mandatory_channel + [docker_channel] }}"
32 |
33 | - name: Add Docker CE repository
34 | when:
35 | - docker_network_access | bool
36 | - docker_install_setup_repos_dependencies | bool
37 | become: true
38 | ansible.builtin.get_url:
39 | url: "{{ docker_repository_url_rpm[_docker_os_dist] | default(docker_repository_url_rpm[_docker_os_dist_file_varity]) }}"
40 | dest: /etc/yum.repos.d/docker-ce.repo
41 | mode: 0644
42 | force: true
43 | register: _docker_repo
44 | until: _docker_repo is succeeded
45 | changed_when: false
46 |
47 | # https://github.com/haxorof/ansible-role-docker-ce/issues/126
48 | - name: Workaround issue with $releasever set to 7Server
49 | when:
50 | - (_docker_os_dist == "RedHat" or _docker_os_dist == "CentOS")
51 | - _docker_os_dist_major_version | int == 7
52 | - docker_x_fix_centos_redhat_7_releasever | bool
53 | block:
54 | - name: Fetch $relesever value
55 | ansible.builtin.command: python -c 'import yum, json; yb = yum.YumBase(); print json.dumps(yb.conf.yumvar, indent=2)'
56 | changed_when: false
57 | check_mode: false
58 | register: _docker_releasever
59 |
60 | - name: Replace $releasever with '7' in /etc/yum.repos.d/docker-ce.repo
61 | when: _docker_releasever.stdout is search('7Server')
62 | become: true
63 | ansible.builtin.replace:
64 | path: /etc/yum.repos.d/docker-ce.repo
65 | regexp: \$releasever
66 | replace: '7'
67 |
68 | - name: Disable Docker CE repository channels
69 | become: true
70 | ansible.builtin.shell: "{{ docker_cmd_enable_disable_rpm_repo[ansible_pkg_mgr] }}"
71 | loop: "{{ _docker_disable_channels }}"
72 | ignore_errors: true
73 | changed_when: false
74 | vars:
75 | _item_enabled: false
76 | tags:
77 | - skip_ansible_lint
78 |
79 | - name: Enable Docker CE repository channels
80 | become: true
81 | ansible.builtin.shell: "{{ docker_cmd_enable_disable_rpm_repo[ansible_pkg_mgr] }}"
82 | loop: "{{ _docker_enable_channels }}"
83 | changed_when: false
84 | vars:
85 | _item_enabled: true
86 | tags:
87 | - skip_ansible_lint
88 |
89 | - name: RHEL 7 repositories
90 | when:
91 | - docker_network_access | bool
92 | - _docker_os_dist == "RedHat"
93 | - _docker_os_dist_major_version | int == 7
94 | block:
95 | - name: Set internal facts for repository handling
96 | ansible.builtin.set_fact:
97 | _rhel_repo_check_cmd:
98 | enabled:
99 | sm: subscription-manager repos --list-enabled
100 | yum: yum repolist enabled
101 | disabled:
102 | sm: subscription-manager repos --list-disabled
103 | yum: yum repolist disabled
104 | _rhel_cmd_enable_disable_repo:
105 | enabled:
106 | sm: subscription-manager repos --enable=
107 | yum: "yum-config-manager --enable "
108 | disabled:
109 | sm: subscription-manager repos --disable=
110 | yum: "yum-config-manager --disable "
111 | _rhel_repos: "{{ (ansible_facts['architecture'] == 'ppc64le') | ternary(docker_rhel_ppc64le_repos, docker_rhel_repos) }}"
112 |
113 | - name: Enable and disable repositories (RedHat)
114 | become: true
115 | ansible.builtin.shell: "{{ _rhel_repo_check_cmd[item.state][item.repo_manager] }} \
116 | | grep {{ item.id }} && exit 0 \
117 | || {{ _rhel_cmd_enable_disable_repo[item.state][item.repo_manager] }}{{ item.id }} \
118 | && exit 2"
119 | loop: "{{ _rhel_repos }}"
120 | register: _cmd_rhel_repo_enabled_disabled
121 | changed_when: _cmd_rhel_repo_enabled_disabled.rc == 2
122 | failed_when: _cmd_rhel_repo_enabled_disabled.rc not in [ 0, 2 ]
123 | tags:
124 | - skip_ansible_lint
125 |
--------------------------------------------------------------------------------
/tasks/setup-repository-Debian.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Update APT cache block
3 | block:
4 | - name: Update APT cache
5 | when:
6 | - docker_network_access | bool
7 | become: true
8 | ansible.builtin.apt:
9 | update_cache: true
10 | allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}"
11 | changed_when: false
12 | register: _pkg_result
13 | until: _pkg_result is succeeded
14 | rescue:
15 | - name: Retry APT cache update with allow-releaseinfo-change
16 | when:
17 | - docker_network_access | bool
18 | become: true
19 | ansible.builtin.command: apt-get update --allow-releaseinfo-change
20 | changed_when: false
21 | register: _pkg_result
22 | until: _pkg_result is succeeded
23 | tags:
24 | - skip_ansible_lint
25 |
26 | - name: Ensure packages are installed for repository setup
27 | when:
28 | - docker_network_access | bool
29 | - docker_install_setup_repos_dependencies | bool
30 | become: true
31 | ansible.builtin.package:
32 | name: "{{ item }}"
33 | state: present
34 | allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}"
35 | disable_gpg_check: "{{ docker_disable_gpg_check if ansible_pkg_mgr in ['rpm', 'yum', 'dnf', 'dnf5', 'zypper'] else omit }}"
36 | loop: "{{ docker_repository_related_packages[_docker_os_dist_file_varity] }}"
37 | register: _pkg_result
38 | until: _pkg_result is succeeded
39 |
40 | - name: Ensure packages are installed for repository setup (only for specific releases)
41 | when:
42 | - docker_network_access | bool
43 | - docker_install_setup_repos_dependencies | bool
44 | - (_docker_os_dist == "Debian" and _docker_os_dist_major_version | int < 13) or
45 | _docker_os_dist != "Debian"
46 | become: true
47 | ansible.builtin.package:
48 | name: "{{ item }}"
49 | state: present
50 | allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}"
51 | disable_gpg_check: "{{ docker_disable_gpg_check if ansible_pkg_mgr in ['rpm', 'yum', 'dnf', 'dnf5', 'zypper'] else omit }}"
52 | loop: "{{ docker_repository_related_packages_addons[_docker_os_dist_file_varity] }}"
53 | register: _pkg_result
54 | until: _pkg_result is succeeded
55 |
56 | - name: Add Docker official GPG key (Ubuntu < 25 and Debian < 13)
57 | when:
58 | - docker_network_access | bool
59 | - (_docker_os_dist == "Ubuntu" and _docker_os_dist_major_version | int > 14 and _docker_os_dist_major_version | int < 25) or
60 | (_docker_os_dist == "Debian" and _docker_os_dist_major_version | int > 7 and _docker_os_dist_major_version | int < 13)
61 | become: true
62 | ansible.builtin.apt_key:
63 | url: https://download.docker.com/linux/{{ _docker_os_dist | lower }}/gpg
64 | state: present
65 | register: _pkg_result
66 | until: _pkg_result is succeeded
67 |
68 | - name: Download Docker GPG key (Ubuntu > 24 and Debian > 12)
69 | when:
70 | - docker_network_access | bool
71 | - (_docker_os_dist == "Ubuntu" and _docker_os_dist_major_version | int > 24) or
72 | (_docker_os_dist == "Debian" and _docker_os_dist_major_version | int > 12)
73 | become: true
74 | ansible.builtin.get_url:
75 | url: https://download.docker.com/linux/{{ _docker_os_dist | lower }}/gpg
76 | dest: /etc/apt/keyrings/docker.asc
77 | mode: '0644'
78 | register: _pkg_result
79 | until: _pkg_result is succeeded
80 |
81 | - name: Determine channels to be enabled and/or disabled
82 | ansible.builtin.set_fact:
83 | _docker_enable_channels: "{{ docker_channels | intersect(_docker_merged_channels) }}"
84 | vars:
85 | _docker_mandatory_channel: []
86 | _docker_merged_channels: "{{ _docker_mandatory_channel + [docker_channel] }}"
87 |
88 | - name: Add Docker CE repository with correct channels (Ubuntu < 25 and Debian < 13)
89 | become: true
90 | when:
91 | - (_docker_os_dist == "Ubuntu" and _docker_os_dist_major_version | int > 14 and _docker_os_dist_major_version | int < 25) or
92 | (_docker_os_dist == "Debian" and _docker_os_dist_major_version | int > 7 and _docker_os_dist_major_version | int < 13)
93 | ansible.builtin.copy:
94 | content: >
95 | deb [arch={{ _docker_os_arch | lower }}] https://download.docker.com/linux/{{ _docker_os_dist | lower }}
96 | {{ _docker_os_dist_release }} {{ _docker_enable_channels | join(' ') }}
97 | dest: /etc/apt/sources.list.d/docker-ce.list
98 | owner: root
99 | group: root
100 | mode: '0644'
101 |
102 | - name: Add Docker CE repository with correct channels (Ubuntu > 24 and Debian > 12)
103 | become: true
104 | when:
105 | - (_docker_os_dist == "Ubuntu" and _docker_os_dist_major_version | int > 24) or
106 | (_docker_os_dist == "Debian" and _docker_os_dist_major_version | int > 12)
107 | ansible.builtin.copy:
108 | content: >
109 | deb [arch={{ _docker_os_arch | lower }} signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/{{ _docker_os_dist | lower }}
110 | {{ _docker_os_dist_release }} {{ _docker_enable_channels | join(' ') }}
111 | dest: /etc/apt/sources.list.d/docker-ce.list
112 | owner: root
113 | group: root
114 | mode: '0644'
115 |
--------------------------------------------------------------------------------
/tasks/remove-docker.yml:
--------------------------------------------------------------------------------
1 | # Best effort to remove Docker CE and related configuration
2 |
3 | - name: Stop Docker service
4 | become: true
5 | ansible.builtin.service:
6 | use: "{{ docker_x_service_mgr }}"
7 | name: docker
8 | state: stopped
9 | ignore_errors: true
10 | tags:
11 | - skip_ansible_lint
12 |
13 | - name: Ensure Docker CE is removed (RHEL varity)
14 | when: _docker_os_dist_file_varity == "RedHat"
15 | become: true
16 | ansible.builtin.package:
17 | name: "{{ item }}"
18 | state: absent
19 | allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}"
20 | disable_gpg_check: "{{ docker_disable_gpg_check if ansible_pkg_mgr in ['rpm', 'yum', 'dnf', 'dnf5', 'zypper'] else omit }}"
21 | loop: "{{ ['docker-ce-rootless-extras', 'docker'] + docker_packages }}"
22 | register: _pkg_result
23 | until: _pkg_result is succeeded
24 |
25 | - name: Ensure Docker CE is removed (Ubuntu/Debian)
26 | when: _docker_os_dist_file_varity == "Debian"
27 | become: true
28 | ansible.builtin.apt:
29 | name: "{{ item }}"
30 | state: absent
31 | purge: true
32 | allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}"
33 | loop: "{{ ['docker-ce-rootless-extras'] + docker_packages }}"
34 | register: _pkg_result
35 | until: _pkg_result is succeeded
36 |
37 | - name: Remove network interface docker0
38 | become: true
39 | ansible.builtin.command: ip link del docker0
40 | ignore_errors: true
41 | changed_when: false
42 | tags:
43 | - skip_ansible_lint
44 |
45 | - name: Remove dockerd from alternatives configuration
46 | become: true
47 | ansible.builtin.shell: alternatives --remove dockerd /usr/bin/dockerd-ce
48 | ignore_errors: true
49 | changed_when: false
50 | tags:
51 | - skip_ansible_lint
52 |
53 | - name: Clean YUM/DNF/APT cache
54 | become: true
55 | ansible.builtin.command: "{{ _docker_clean_cache_cmd[ansible_pkg_mgr] }}"
56 | changed_when: false
57 | vars:
58 | _docker_clean_cache_cmd:
59 | apt: apt-get clean
60 | dnf: dnf clean all --enablerepo=\*
61 | dnf5: dnf clean all --enablerepo=\*
62 | yum: yum clean all --enablerepo=\*
63 |
64 | - name: Remove repository docker specific repo file
65 | when: _docker_os_dist_file_varity == "RedHat"
66 | become: true
67 | ansible.builtin.yum_repository:
68 | name: docker-ce
69 | file: docker-ce
70 | state: absent
71 |
72 | - name: Ensure Docker CE and configuration files are removed
73 | become: true
74 | ansible.builtin.file:
75 | path: "{{ item }}"
76 | state: absent
77 | loop:
78 | # all distributions
79 | - "{{ docker_envs_dir[_docker_os_dist_file_varity] }}/docker"
80 | - "{{ docker_envs_dir[_docker_os_dist_file_varity] }}/docker-envs"
81 | - /etc/audit/rules.d/docker.rules
82 | # centos/rhel
83 | - /etc/yum.repos.d/docker-ce.repo
84 | - /etc/systemd/system/docker.service.d
85 | - /etc/docker
86 | - /usr/bin/dockerd
87 | - /run/docker
88 | # ubuntu/debian
89 | - /etc/apt/sources.list.d/docker-ce.list
90 |
91 | - name: Ensure additional files and data directories are removed
92 | when: docker_remove_all | bool
93 | become: true
94 | ansible.builtin.file:
95 | path: "{{ item }}"
96 | state: absent
97 | loop:
98 | - /etc/firewalld/zones/docker.xml
99 | - /etc/firewalld/policies/docker-forwarding.xml
100 | - /var/lib/docker
101 | - /var/lib/docker-engine
102 | - /usr/libexec/docker
103 | - /var/lib/yum/repos/x86_64/7/docker-ce-nightly
104 | - /var/lib/yum/repos/x86_64/7/docker-ce-nightly
105 | - /var/lib/yum/repos/x86_64/7/docker-ce-test
106 | - /var/lib/yum/repos/x86_64/7/docker-ce-stable
107 | - /var/lib/yum/repos/x86_64/7/docker-ce-nightly-debuginfo
108 | - /var/lib/yum/repos/x86_64/7/docker-ce-nightly-source
109 | - /var/lib/yum/repos/x86_64/7/docker-ce-stable-debuginfo
110 | - /var/lib/yum/repos/x86_64/7/docker-ce-stable-source
111 | - /var/lib/yum/repos/x86_64/7/docker-ce-test-debuginfo
112 | - /var/lib/yum/repos/x86_64/7/docker-ce-test-source
113 | - "{{ docker_remove_additional }}"
114 |
115 | - name: Reload firewalld config
116 | become: true
117 | ansible.builtin.shell: firewall-cmd --reload
118 | ignore_errors: true
119 | changed_when: false
120 | tags:
121 | - skip_ansible_lint
122 |
123 | - name: Find Docker related diretories in package cache (RHEL varity)
124 | when: _docker_os_dist_file_varity == "RedHat"
125 | become: true
126 | ansible.builtin.find:
127 | paths: "{{ (_docker_os_dist_major_version | int > 7) | ternary('/var/cache/dnf', '/var/cache/yum') }}"
128 | file_type: directory
129 | recurse: true
130 | patterns: "docker-ce*"
131 | register: _remove_cache_dirs
132 |
133 | - name: Remove dangeling files/directories in package cache
134 | when: _docker_os_dist_file_varity == "RedHat"
135 | become: true
136 | ansible.builtin.file:
137 | path: "{{ item.path }}"
138 | state: absent
139 | loop: "{{ _remove_cache_dirs.files }}"
140 |
141 | - name: Update repository cache
142 | when: docker_network_access | bool
143 | become: true
144 | ansible.builtin.shell: "{{ docker_cmd_update_repo_cache[_docker_os_dist_file_varity] }}"
145 | changed_when: false
146 | register: _result
147 | until: _result is succeeded
148 | tags:
149 | - skip_ansible_lint
150 |
--------------------------------------------------------------------------------
/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Collect distribution facts if not already done
3 | when: not ansible_distribution_major_version is defined
4 | ansible.builtin.setup:
5 | gather_subset:
6 | - min
7 | tags: ["install", "configure", "postinstall", "docker_install", "docker_configure", "docker_postinstall"]
8 |
9 | - name: Set distribution and python facts
10 | ansible.builtin.set_fact:
11 | _docker_os_dist: "{{ ansible_distribution }}"
12 | _docker_os_dist_release: "{{ ansible_distribution_release }}"
13 | _docker_os_dist_major_version: "{{ ansible_distribution_major_version }}"
14 | _docker_os_dist_file_varity: "{{ ansible_distribution_file_variety }}"
15 | _docker_os_arch: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"
16 | _docker_python3: "{{ ansible_python_version is version('3', '>=') }}"
17 | tags: ["install", "configure", "postinstall", "docker_install", "docker_configure", "docker_postinstall"]
18 |
19 | - name: Reinterpret distribution facts for Linux Mint
20 | when: _docker_os_dist == "Linux Mint"
21 | ansible.builtin.set_fact:
22 | _docker_os_dist: "Ubuntu"
23 | _docker_os_dist_release: "{{ docker_x_mint_ubuntu_mapping[ansible_distribution_major_version | int].release }}"
24 | _docker_os_dist_major_version: "{{ docker_x_mint_ubuntu_mapping[ansible_distribution_major_version | int].major_version }}"
25 | tags: ["install", "configure", "postinstall", "docker_install", "docker_configure", "docker_postinstall"]
26 |
27 | - name: Reinterpret distribution file varity to RedHat
28 | when: >
29 | (_docker_os_dist == "CentOS" and _docker_os_dist_release == "Stream") or
30 | _docker_os_dist == "Amazon"
31 | ansible.builtin.set_fact:
32 | _docker_os_dist_file_varity: "RedHat"
33 | tags: ["install", "configure", "postinstall", "docker_install", "docker_configure", "docker_postinstall"]
34 |
35 | - name: Reinterpret distribution facts for Debian 10 (Buster) due to bug
36 | when:
37 | - _docker_os_dist == "Debian"
38 | - _docker_os_dist_release == "buster" or (ansible_lsb is defined
39 | and ansible_lsb.codename is defined and ansible_lsb.codename == "buster")
40 | ansible.builtin.set_fact:
41 | _docker_os_dist: "Debian"
42 | _docker_os_dist_release: "buster"
43 | _docker_os_dist_major_version: 10
44 | tags: ["install", "configure", "postinstall", "docker_install", "docker_configure", "docker_postinstall"]
45 |
46 | - name: Check if /etc/os-release exists
47 | ansible.builtin.stat:
48 | path: /etc/os-release
49 | register: _docker_os_release_file_check
50 | tags: ["install", "configure", "postinstall", "docker_install", "docker_configure", "docker_postinstall"]
51 |
52 | - name: Print /etc/os-release information and use it for reinterpretation
53 | when: _docker_os_release_file_check.stat.exists
54 | block:
55 | - name: OS release info
56 | ansible.builtin.raw: cat /etc/os-release
57 | check_mode: false
58 | changed_when: false
59 | register: _docker_os_release_info
60 | tags: ["install", "configure", "postinstall", "docker_install", "docker_configure", "docker_postinstall"]
61 |
62 | - name: Print OS release information
63 | ansible.builtin.debug:
64 | var: _docker_os_release_info
65 | verbosity: 1
66 | tags: ["install", "configure", "postinstall", "docker_install", "docker_configure", "docker_postinstall"]
67 |
68 | - name: Reinterpret distribution facts for Raspbian
69 | when: _docker_os_release_info.stdout is search('raspbian')
70 | ansible.builtin.set_fact:
71 | _docker_os_arch: "armhf"
72 | tags: ["install", "configure", "postinstall", "docker_install", "docker_configure", "docker_postinstall"]
73 |
74 | - name: Print LSB information
75 | when:
76 | - ansible_lsb is defined
77 | ansible.builtin.debug:
78 | var: ansible_lsb
79 | verbosity: 1
80 | tags: ["install", "configure", "postinstall", "docker_install", "docker_configure", "docker_postinstall"]
81 |
82 | - name: Reset role variables
83 | ansible.builtin.set_fact:
84 | _docker_systemd_service_config_tweaks: []
85 | _docker_service_envs: {}
86 | _docker_restart_required: false
87 | tags: ["install", "configure", "postinstall", "docker_install", "docker_configure", "docker_postinstall"]
88 |
89 | - name: Print reinterpreted distribution information
90 | ansible.builtin.debug:
91 | msg: "distribution={{ _docker_os_dist }}, release={{ _docker_os_dist_release }}, major_version={{ _docker_os_dist_major_version }}, file_variety={{ _docker_os_dist_file_varity }}"
92 | tags: ["install", "configure", "postinstall", "docker_install", "docker_configure", "docker_postinstall"]
93 |
94 | - name: Compatibility and distribution checks
95 | when: docker_do_checks | bool
96 | ansible.builtin.include_tasks: checks.yml
97 | tags: ["install", "configure", "postinstall", "docker_install", "docker_configure", "docker_postinstall"]
98 |
99 | - name: Gather the package facts
100 | ansible.builtin.package_facts:
101 | manager: auto
102 |
103 | - name: Abort if podman is already installed
104 | when: "'podman' in ansible_facts.packages"
105 | ansible.builtin.fail:
106 | msg: "Podman is already installed! If you want to use this role ensure you do not have any podman related packages installed!"
107 |
108 | - name: Install and configure Docker CE
109 | when: not docker_remove | bool
110 | block:
111 | - name: Network access disabled
112 | when: not docker_network_access | bool
113 | ansible.builtin.debug:
114 | msg: "Tasks requiring network access will be skipped!"
115 |
116 | - name: Setup Docker package repositories
117 | when: docker_setup_repos | bool
118 | ansible.builtin.include_tasks: setup-repository.yml
119 | tags: ["install", "docker_install"]
120 |
121 | - name: Install Docker
122 | when: docker_network_access | bool
123 | ansible.builtin.include_tasks: install-docker.yml
124 | tags: ["install", "docker_install"]
125 |
126 | - name: Configure audit logging
127 | ansible.builtin.include_tasks: setup-audit.yml
128 | tags: ["configure", "docker_configure"]
129 |
130 | - name: Apply workarounds for bugs and/or tweaks
131 | ansible.builtin.include_tasks: bug-tweaks.yml
132 | tags: ["configure", "docker_configure"]
133 |
134 | - name: Configure Docker
135 | ansible.builtin.include_tasks: configure-docker.yml
136 | tags: ["configure", "docker_configure"]
137 |
138 | - name: Postinstall tasks
139 | when:
140 | - docker_network_access | bool
141 | - (docker_sdk | bool) or (docker_stack | bool) or (docker_compose | bool)
142 | ansible.builtin.include_tasks: postinstall.yml
143 | tags: ["install", "postinstall", "docker_install", "docker_postinstall"]
144 |
145 | - name: Remove Docker CE and related configuration
146 | when: docker_remove | bool
147 | ansible.builtin.include_tasks: remove-docker.yml
148 |
--------------------------------------------------------------------------------
/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # IMPORTANT! All variables with prefix 'docker_x_' is experimental and can be
3 | # changed at any time.
4 | ################################################################################
5 | # Docker install configuration
6 | ################################################################################
7 | # Docker repo channel: stable, nigthly, test (more info: https://docs.docker.com/install/)
8 | docker_channel: stable
9 | # Always ensure latest version of Docker CE
10 | docker_latest_version: true
11 | # Docker version
12 | # Relation with other variables:
13 | # - If docker_version is set to a non-empty value (e.g. 18.06.1.ce-3.el7) then that is used.
14 | # - If docker_version is empty (default) and docker_latest_version is set to true (default)
15 | # then latest version will be installed and if older version is installed it will be upgraded.
16 | # - If docker_version is empty (default) and docker_latest_version is set to false then it
17 | # will only install latest version if not some Docker version is already installed.
18 | docker_version: ""
19 | # If below variable is set to true it will remove older Docker installation before Docker CE.
20 | # DEPRECATED! nothing replaces this feature
21 | docker_remove_pre_ce: false
22 | # Users to be part of the docker group
23 | docker_users: []
24 | # Docker plugins.
25 | # Item fields:
26 | # * type - Valid types: volumedriver,networkdriver,ipamdriver,authz,logdriver,metricscollector
27 | # * alias - Alias of plugin
28 | # * name - Name of plugin
29 | # * args - Plugin arguments
30 | #
31 | # Example:
32 | # docker_plugins:
33 | # - type: authz
34 | # alias: opa-docker-authz
35 | # name: openpolicyagent/opa-docker-authz-v2:0.8
36 | # args: opa-args="-policy-file /opa/policies/authz.rego"
37 | docker_plugins: []
38 |
39 | # Bypass package manager GPG key verification
40 | docker_allow_unauthenticated: false
41 | docker_disable_gpg_check: false
42 |
43 | # Setup Docker CE apt/dnf/yum repos or assume it has already been done
44 | docker_setup_repos: true
45 | # Install dependencies related to setup repos (if dependencies are already installed then nothing will be changed)
46 | docker_install_setup_repos_dependencies: true
47 | # Repositories required to be enabled or disabled on RHEL
48 | # id:
49 | # state: enabled || disabled
50 | # repo_manager: sm (subsription manager) || yum
51 | docker_rhel_repos:
52 | - id: rhel-7-server-extras-rpms
53 | repo_manager: sm
54 | state: enabled
55 | # disable rt-beta so we don't get a 403 error retrieving repomd.xml
56 | - id: rhel-7-server-rt-beta-rpms
57 | repo_manager: sm
58 | state: disabled
59 | # Repositories required to be enabled or disabled on RHEL on ppc64le architecture
60 | docker_rhel_ppc64le_repos:
61 | - id: rhel-7-for-power-le-extras-rpms
62 | repo_manager: sm
63 | state: enabled
64 |
65 | # If Docker is installed this can stop the role from accessing network.
66 | # IMPORTANT! Role will fail is some external resource is necessary for some
67 | # tasks to run. Assumption is that this role has been run once before.
68 | docker_network_access: true
69 |
70 | # Workaround for RHEL/CentOS 8
71 | # Reason: Fails to install because YUM cannot find a good candidate for the library containerd.
72 | docker_x_redhat_centos_8_workaround: false
73 | # containerd RPM URL
74 | docker_x_redhat_centos_8_containerd_rpm: https://download.docker.com/linux/centos/7/x86_64/stable/Packages/containerd.io-1.4.4-3.1.el7.x86_64.rpm
75 |
76 | # Workaround for - CentOS 7/RHEL 7 installations broken where $releasever is '7Server'
77 | # https://github.com/docker/for-linux/issues/1111
78 | docker_x_fix_centos_redhat_7_releasever: true
79 |
80 | # Experimental - Linux Mint reinterpretation mapping
81 | # Mapping between Mint and Ubuntu release are found at: https://linuxmint.com/download_all.php
82 | docker_x_mint_ubuntu_mapping:
83 | 18:
84 | release: "xenial"
85 | major_version: 16
86 | 19:
87 | release: "bionic"
88 | major_version: 18
89 | 20:
90 | release: "focal"
91 | major_version: 20
92 | 21:
93 | release: "jammy"
94 | major_version: 22
95 | 22:
96 | release: "noble"
97 | major_version: 24
98 |
99 | # Change OS service manager. Can be used to work around issues related
100 | # to Ubuntu on WSL2 or similar.
101 | # Valid values: auto, systemd, service
102 | docker_x_service_mgr: auto
103 | ################################################################################
104 | # Docker daemon configuration
105 | ################################################################################
106 | # Daemon configuration (https://docs.docker.com/engine/reference/commandline/dockerd/)
107 | # Example:
108 | # docker_daemon_config:
109 | # experimental: true
110 | docker_daemon_config: {}
111 | # Map of environment variables to Docker daemon
112 | docker_daemon_envs: {}
113 | # Docker daemon options
114 | # Docker daemon is configured with '-H fd://' by default in Ubuntu/Debian which cause problems.
115 | # https://github.com/moby/moby/issues/25471
116 | docker_daemon_opts: ""
117 | # List of additional service configuration options for systemd
118 | # Important! Configuring this can cause Docker to not start at all.
119 | docker_systemd_service_config: []
120 |
121 | ################################################################################
122 | # Audit configuration
123 | ################################################################################
124 | # Enable auditing of Docker related files and directories
125 | docker_enable_audit: false
126 |
127 | ################################################################################
128 | # Configuration to handle bugs/deviations
129 | ################################################################################
130 | # To compensate for situation where Docker daemon fails because of usermod incompatibility.
131 | # Ensures that 'dockremap:500000:65536' is present in /etc/subuid and /etc/subgid.
132 | # Note! If userns-remap is set to 'default' in docker_daemon_config this config will be unnecessary.
133 | docker_bug_usermod: false
134 | # Set `MountFlags=slave`
135 | # https://github.com/haxorof/ansible-role-docker-ce/issues/34
136 | docker_enable_mount_flag_fix: false
137 | # Do compatibility and distribution checks (can be disable for debugging etc if required)
138 | docker_do_checks: true
139 |
140 | ################################################################################
141 | # Postinstall related configuration
142 | ################################################################################
143 | # Ensures dependencies are installed so that most of the 'docker' Ansible modules will work.
144 | docker_sdk: false
145 | # Ensures docker-compose is installed or available and Docker CLI plugin and in common paths.
146 | # docker-compose-plugin installed by default but not available in all distributions.
147 | docker_compose: false
148 | # Ensures dependencies are installed so that 'docker_stack' Ansible module will work.
149 | docker_stack: false
150 | # Additional PiP packages to install after Docker is configured and started.
151 | docker_additional_packages_pip: []
152 | # Additional OS packages to install after Docker is configured and started.
153 | docker_additional_packages_os: []
154 | # Forces a PiP upgraded before further use.
155 | # IMPORTANT! Be carful to set this because it might cause dependency problems.
156 | docker_pip_upgrade: false
157 | # This variable is used when docker_pip_upgrade is true to upgrade/reinstall pip.
158 | # Override if you want older version than latest during upgrade, e.g. pip==19.3.1
159 | docker_pip_package_pip: pip
160 | # Default python pip package to install if missing
161 | docker_pip_package: python-pip
162 | docker_pip3_package: python3-pip
163 | # PiP extra args
164 | docker_pip_extra_args:
165 | # PiP install packages using sudo
166 | docker_pip_sudo: true
167 |
168 | # Workaround for - No module named ssl_match_hostname
169 | # https://github.com/docker/docker-py/issues/1502
170 | docker_x_ssl_match_hostname: true
171 | # Workaround for - No module named zipp
172 | # https://github.com/haxorof/ansible-role-docker-ce/issues/112
173 | docker_x_fix_no_zipp_module: true
174 | # Workaround for - No module named shutil_get_terminal_size
175 | # https://github.com/haxorof/ansible-role-docker-ce/issues/121
176 | docker_x_shutil_get_terminal_size: true
177 | # Experimental - ensure that PiP is not upgraded automatically
178 | # Setting this to true will break installation of some parts
179 | # e.g. Python based docker-compose.
180 | docker_x_skip_pip_auto_upgrade: false
181 | ################################################################################
182 | # Docker removal configuration
183 | ################################################################################
184 | # CAUTION! If below variable is set to true it will remove Docker CE
185 | # installation and all related configuation.
186 | docker_remove: false
187 | # CAUTION! If below variable and docker_remove is set to true it will also remove
188 | # everything under for example /var/lib/docker
189 | docker_remove_all: false
190 | # Additional files or directories to be remove if for example non-standard locations
191 | # was previously configured for data storage etc.
192 | docker_remove_additional: []
193 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Ansible Role for Docker CE (Community Edition)
2 |
3 | **IMPORTANT!** Even if this role does not list support for some distribution versions it might still work.
4 |
5 | [](https://github.com/haxorof/ansible-role-docker-ce)
6 | [](https://galaxy.ansible.com/ui/standalone/roles/haxorof/docker_ce/)
7 | [](https://github.com/haxorof/ansible-role-docker-ce/blob/master/LICENSE)
8 | [](https://github.com/haxorof/ansible-role-docker-ce/actions?query=workflow%3ACI)
9 |
10 | This Ansible role installs and configures Docker CE (Community Edition) on several different Linux distributions. The goal is to let the
11 | user of this role to just care about how Docker shall be installed and configured and hide the differences that exists in the
12 | different distributions.
13 |
14 | ```text
15 | ansible-galaxy role install haxorof.docker_ce
16 | ```
17 |
18 | ## Features
19 |
20 | - One way to install and configure Docker CE across supported Linux distributions.
21 | - Support install of Docker SDK and Docker Compose.
22 | - Best effort support of installations of Docker plugins.
23 | - Best effort uninstall of Docker CE and related configuration
24 | - Do tweaks etc to avoid buggy or non-working configurations in some supported distributions.
25 | - Ease handling of setting up Docker according to Center of Internet Security (CIS) documentation.
26 |
27 | ## Supported Distributions
28 |
29 | *Note!* Some version(s) of distributions listed below only have Python 2.7 installed, these are only compatible with Ansible versions below 10.0.0 (or ansible-core versions below 2.17). This is because Python 2.7 support was dropped in Ansible 10.0.0 (ansible-core 2.17).
30 |
31 | - AlmaLinux1
32 | - Amazon Linux1
33 | - CentOS1
34 | - CentOS Stream
35 | - Debian
36 | - Fedora
37 | - Linux Mint1 (based on Ubuntu).
38 | - Raspbian (based on Debian)
39 | - RHEL
40 | - Rocky Linux1
41 | - Ubuntu
42 |
43 | 1 NB: Docker does _not_ officially support completely or partly Docker CE on this distribution and some features might/will not work.
44 |
45 | There might be other distributions that also works with this roles which are not in the list above by disabling the distribution check by setting variable `docker_do_checks` to `no`.
46 |
47 | ## Changelog
48 |
49 | See changelog [here](https://github.com/haxorof/ansible-role-docker-ce/blob/master/CHANGELOG.md)
50 |
51 | ## Ansible Compatibility
52 |
53 | - ansible `9.13.0` or later (ansible-core `2.16` or later)
54 |
55 | For this role to support multiple Ansible versions it is not possible to avoid all Ansible deprecation warnings. Read Ansible documentation if you want to disable [deprecation warnings](http://docs.ansible.com/ansible/latest/reference_appendices/config.html#deprecation-warnings).
56 |
57 | This role tries to support the latest and previous major release of Ansible version. For supported Ansible versions see [here](https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html)
58 |
59 | ### Ansible Collection Requirements
60 |
61 | If only ansible-core is installed these collections must also be installed for the role to work:
62 |
63 | - ansible.posix
64 | - community.general
65 |
66 | ## Requirements
67 |
68 | No additional requirements.
69 |
70 | ## Role Variables
71 |
72 | Variables related to this role are listed [here](https://github.com/haxorof/ansible-role-docker-ce/blob/master/defaults/main.yml)
73 |
74 | ## Dependencies
75 |
76 | None.
77 |
78 | ## Example Playbook
79 |
80 | Following sub sections show different kind of examples to illustrate what this role supports.
81 |
82 | ### Simplest
83 |
84 | ```yaml
85 | - hosts: docker
86 | roles:
87 | - role: haxorof.docker_ce
88 | ```
89 |
90 | ### Configure Docker daemon to use proxy
91 |
92 | ```yaml
93 | - hosts: docker
94 | vars:
95 | docker_daemon_envs:
96 | HTTP_PROXY: http://localhost:3128/
97 | NO_PROXY: localhost,127.0.0.1,docker-registry.somecorporation.com
98 | roles:
99 | - haxorof.docker_ce
100 | ```
101 |
102 | ### Ensure Ansible can use Docker modules after install
103 |
104 | ```yaml
105 | - hosts: test-host
106 | vars:
107 | docker_sdk: true
108 | docker_compose: true
109 | roles:
110 | - haxorof.docker_ce
111 | post_tasks:
112 | - name: Test hello container
113 | become: true
114 | docker_container:
115 | name: hello
116 | image: hello-world
117 |
118 | - name: Test hello service
119 | become: true
120 | docker_service:
121 | project_name: hello
122 | definition:
123 | version: '3'
124 | services:
125 | hello:
126 | image: "hello-world"
127 | ```
128 |
129 | ### On the road to CIS security compliant Docker engine installation
130 |
131 | This minimal example below show what kind of role configuration that is required to pass the [Docker bench](https://github.com/docker/docker-bench-security) checks:
132 |
133 | ```yaml
134 | - hosts: docker
135 | vars:
136 | docker_plugins:
137 | - type: authz
138 | alias: opa-docker-authz
139 | name: openpolicyagent/opa-docker-authz-v2:0.9
140 | args: opa-args="-policy-file /opa/policies/authz.rego"
141 | docker_enable_audit: true
142 | docker_daemon_config:
143 | icc: false
144 | log-driver: journald
145 | userns-remap: default
146 | live-restore: true
147 | userland-proxy: false
148 | no-new-privileges: true
149 | roles:
150 | - haxorof.docker_ce
151 | ```
152 |
153 | Because the configuration above requires Linux user namespaces to be enabled then additional GRUB arguments might be needed. Example below show one example what changes that might be needed and reboot of the host is required for the changes to take full affect.
154 |
155 | ```yaml
156 | # https://success.docker.com/article/user-namespace-runtime-error
157 |
158 | - hosts: docker
159 | roles:
160 | - role: jtyr.grub_cmdline
161 | vars:
162 | grub_cmdline_add_args:
163 | - namespace.unpriv_enable=1
164 | - user_namespace.enable=1
165 | become: true
166 | tasks:
167 | - name: set user.max_user_namespaces
168 | sysctl:
169 | name: user.max_user_namespaces
170 | value: 15000
171 | sysctl_set: true
172 | state: present
173 | reload: true
174 | become: true
175 | ```
176 |
177 | For a more complete working example on CentOS 7 have a look [here](https://github.com/haxorof/ansible-role-docker-ce/blob/master/tests/experimental/cis).
178 |
179 | ## Automated test matrix
180 |
181 | Here is the latest test results of the automated test which is located in the tests directory:
182 |
183 | Note! All distributions listed in test matrix below does not provided the latest released Docker CE version.
184 |
185 | ### Test Suites
186 |
187 | | Suite | ID | Comment |
188 | |-------|------------------------|--------------------------------------------------------------------------------------|
189 | | s-1 | t_config | |
190 | | s-2 | t_postinstall | |
191 | | s-3 | t_auditd | |
192 |
193 | ### Test Matrix
194 |
195 | | Symbol | Definition |
196 | | --- | --- |
197 | | :heavy_check_mark: | All tests passed |
198 | | :x: | At least one test failed / Not supported |
199 | | :heavy_minus_sign: | No test done / Not yet tested |
200 |
201 | | # | s-1 | s-2 | s-3 | updated |
202 | |-------------------|--------------------|--------------------|--------------------|------------|
203 | | AlmaLinux 8 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | 2024-08-02 |
204 | | AlmaLinux 9 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | 2024-08-02 |
205 | | Amazon Linux 2 | :heavy_check_mark: | :x: | :heavy_check_mark: | 2024-08-02 |
206 | | Amazon Linux 2023 | :heavy_check_mark: | :x: | :heavy_check_mark: | 2024-08-02 |
207 | | CentOS Stream 9 | :heavy_minus_sign: | :heavy_minus_sign: | :heavy_minus_sign: | 2024-08-02 |
208 | | Debian 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | 2024-08-02 |
209 | | Debian 12 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | 2024-08-02 |
210 | | Fedora 40 | :heavy_minus_sign: | :heavy_minus_sign: | :heavy_minus_sign: | 2024-08-02 |
211 | | Fedora 41 | :heavy_minus_sign: | :heavy_minus_sign: | :heavy_minus_sign: | 2024-12-08 |
212 | | Rocky Linux 8 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | 2024-08-02 |
213 | | Rocky Linux 9 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | 2024-08-02 |
214 | | Ubuntu 20.04 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | 2024-08-02 |
215 | | Ubuntu 22.04 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | 2024-08-02 |
216 | | Ubuntu 24.04 | :heavy_minus_sign: | :heavy_minus_sign: | :heavy_minus_sign: | 2024-08-02 |
217 | | RHEL 8 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | 2024-08-12 |
218 | | RHEL 9 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | 2024-08-12 |
219 |
220 | ## License
221 |
222 | This is an open source project under the [MIT](https://github.com/haxorof/ansible-role-docker-ce/blob/master/LICENSE) license.
223 |
--------------------------------------------------------------------------------
/tasks/postinstall.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Reset internal variables for additional packages to be installed
3 | ansible.builtin.set_fact:
4 | _docker_additional_packages_os: []
5 | _docker_additional_packages_pip: []
6 |
7 | - name: Set facts to install Docker SDK for Python
8 | when:
9 | - docker_sdk | bool
10 | ansible.builtin.set_fact:
11 | _docker_additional_packages_pip: "{{ _docker_additional_packages_pip + \
12 | (docker_predefined_packages_pip[_docker_os_dist_file_varity]['sdk'] | default([])) }}"
13 | _docker_additional_packages_os: "{{ _docker_additional_packages_os + \
14 | (docker_predefined_packages_os[_docker_os_dist_file_varity]['sdk'] | default([])) }}"
15 |
16 | - name: Set facts to install Docker Stack dependencies
17 | when:
18 | - docker_stack | bool
19 | ansible.builtin.set_fact:
20 | _docker_additional_packages_pip: "{{ _docker_additional_packages_pip + \
21 | (docker_predefined_packages_pip[_docker_os_dist_file_varity]['stack'] | default([])) }}"
22 | _docker_additional_packages_os: "{{ _docker_additional_packages_os + \
23 | (docker_predefined_packages_os[_docker_os_dist_file_varity]['stack'] | default([])) }}"
24 |
25 | - name: Set facts with additional package to be installed
26 | ansible.builtin.set_fact:
27 | _docker_additional_packages_pip: "{{ docker_additional_packages_pip + _docker_additional_packages_pip }}"
28 | _docker_additional_packages_os: "{{ docker_additional_packages_os + _docker_additional_packages_os }}"
29 |
30 | - name: Ensure required OS packages will be installed for PiP
31 | when:
32 | - _docker_additional_packages_pip | length > 0
33 | block:
34 | - name: Set fact for path test of pip/pip3
35 | ansible.builtin.set_fact:
36 | _docker_pip_or_pip3: "{{ _docker_python3 | ternary('pip3', 'pip') }}"
37 |
38 | - name: Determine if pip/pip3 exists in path
39 | become: true
40 | ansible.builtin.shell: type {{ _docker_pip_or_pip3 }}
41 | register: _docker_pip_cmd
42 | changed_when: false
43 | failed_when: false
44 | check_mode: false
45 | tags:
46 | - skip_ansible_lint
47 |
48 | - name: Set fact to install Python 2 PiP and build dependencies
49 | when:
50 | - not _docker_python3 | bool
51 | ansible.builtin.set_fact:
52 | _docker_additional_packages_os: >
53 | {{ _docker_additional_packages_os
54 | + ([] if (_docker_pip_cmd.rc == 0) else [docker_pip_package])
55 | + [docker_python2_build_os_pkgs[_docker_os_dist] | default(docker_python2_build_os_pkgs[_docker_os_dist_file_varity])] }}
56 |
57 | - name: Set fact to install Python 3 PiP and build dependencies
58 | when:
59 | - _docker_python3 | bool
60 | ansible.builtin.set_fact:
61 | _docker_additional_packages_os: >
62 | {{ _docker_additional_packages_os
63 | + ([] if (_docker_pip_cmd.rc == 0) else [docker_pip3_package])
64 | + [docker_python3_build_os_pkgs[_docker_os_dist] | default(docker_python3_build_os_pkgs[_docker_os_dist_file_varity])] }}
65 |
66 | - name: Ensure python-pip-whl is present (Debian 8)
67 | when:
68 | - _docker_os_dist == "Debian"
69 | - _docker_os_dist_major_version | int == 8
70 | ansible.builtin.set_fact:
71 | _docker_additional_packages_os: "{{ _docker_additional_packages_os + ['python-pip-whl'] }}"
72 |
73 | - name: Ensure python-backports.ssl-match-hostname is present (Debian 10)
74 | when:
75 | - not _docker_python3 | bool
76 | - _docker_os_dist == "Debian"
77 | - _docker_os_dist_major_version | int == 10
78 | ansible.builtin.set_fact:
79 | _docker_additional_packages_os: "{{ _docker_additional_packages_os + ['python-backports.ssl-match-hostname'] }}"
80 |
81 | - name: Ensure EPEL release repository is installed
82 | when:
83 | - docker_setup_repos | bool
84 | - _docker_os_dist == "CentOS"
85 | - _docker_additional_packages_os | length > 0
86 | become: true
87 | ansible.builtin.package:
88 | name: "epel-release"
89 | state: present
90 | allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}"
91 | disable_gpg_check: "{{ docker_disable_gpg_check if ansible_pkg_mgr in ['rpm', 'yum', 'dnf', 'dnf5', 'zypper'] else omit }}"
92 | register: _pkg_result
93 | until: _pkg_result is succeeded
94 |
95 | - name: Install additional packages (OS package manager)
96 | when: _docker_additional_packages_os | length > 0
97 | become: true
98 | ansible.builtin.package:
99 | name: "{{ item }}"
100 | state: present
101 | allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}"
102 | disable_gpg_check: "{{ docker_disable_gpg_check if ansible_pkg_mgr in ['rpm', 'yum', 'dnf', 'dnf5', 'zypper'] else omit }}"
103 | loop: "{{ _docker_additional_packages_os }}"
104 | register: _pkg_result
105 | until: _pkg_result is succeeded
106 |
107 | - name: Fetch install PiP version
108 | when:
109 | - _docker_additional_packages_pip | length > 0
110 | become: "{{ docker_pip_sudo | bool }}"
111 | ansible.builtin.command: "{{ _docker_pip_or_pip3 }} --version"
112 | changed_when: false
113 | check_mode: false
114 | register: _pip_version
115 |
116 | - name: Check and set PiP for upgrade if necessary
117 | when:
118 | - _pip_version is defined
119 | - _pip_version.stdout_lines[0] is defined
120 | block:
121 | # Best effort workaround to avoid 'No module named zipp'
122 | # https://github.com/haxorof/ansible-role-docker-ce/issues/112
123 |
124 | - name: Set PiP to be upgraded due to too old PiP version (< 9.0.0)
125 | when:
126 | - docker_x_fix_no_zipp_module
127 | - not docker_x_skip_pip_auto_upgrade | bool
128 | - (_pip_version.stdout_lines[0] | regex_replace('^pip\s(\d+\.\d+).+$', '\\1')) is version('9.0', '<')
129 | ansible.builtin.set_fact:
130 | docker_pip_upgrade: true
131 |
132 | - name: Set PiP to be upgraded due to Rust depencency for cryptography
133 | when:
134 | - _docker_python3 | bool
135 | - not docker_x_skip_pip_auto_upgrade | bool
136 | - (_pip_version.stdout_lines[0] | regex_replace('^pip\s(\d+\.\d+).+$', '\\1')) is version('21.0', '<')
137 | ansible.builtin.set_fact:
138 | docker_pip_upgrade: true
139 |
140 | # PiP 21 drop Python 2 support
141 | # https://pip.pypa.io/en/latest/development/release-process/#python-2-support
142 | # https://github.com/pypa/pip/issues/7423
143 | - name: Ensure PiP upgrade for Python 2 only is upgraded to at most 20.3
144 | when:
145 | - (not _docker_python3 | bool) or (_docker_os_dist == "Ubuntu" and _docker_os_dist_major_version | int < 18)
146 | - not docker_x_skip_pip_auto_upgrade | bool
147 | - docker_pip_upgrade | bool
148 | ansible.builtin.set_fact:
149 | docker_pip_package_pip: "{{ docker_pip_package_pip }}<21"
150 |
151 | - name: Upgrade/Reinstall PiP
152 | when:
153 | - _docker_additional_packages_pip | length > 0
154 | - docker_pip_upgrade | bool
155 | become: "{{ docker_pip_sudo | bool }}"
156 | ansible.builtin.pip:
157 | name: "{{ docker_pip_package_pip }}"
158 | state: forcereinstall
159 | register: _pkg_result
160 | until: _pkg_result is succeeded
161 |
162 | - name: Install additional packages (PiP)
163 | when: _docker_additional_packages_pip | length > 0
164 | become: "{{ docker_pip_sudo | bool }}"
165 | ansible.builtin.pip:
166 | name: "{{ item }}"
167 | state: present
168 | extra_args: "{{ docker_pip_extra_args }}"
169 | loop: "{{ _docker_additional_packages_pip }}"
170 | register: _pkg_result
171 | until: _pkg_result is succeeded
172 | environment:
173 | PYTHONWARNINGS: ignore
174 |
175 | # https://github.com/docker/docker-py/issues/1502
176 | - name: Workaround for issue - No module named ssl_match_hostname (Python 2.7)
177 | when:
178 | - docker_x_ssl_match_hostname | bool
179 | - not _docker_python3 | bool
180 | - _docker_additional_packages_pip | length > 0
181 | block:
182 | - name: Test if module ssl_match_hostname exists
183 | ansible.builtin.command: python -c "import backports.ssl_match_hostname"
184 | register: _docker_check_smh
185 | changed_when: _docker_check_smh.rc == 1
186 | failed_when: _docker_check_smh.rc > 1
187 | tags:
188 | - skip_ansible_lint
189 |
190 | - name: Apply workaround for issue - No module named ssl_match_hostname (Python 2.7)
191 | when: _docker_check_smh is changed
192 | become: true
193 | ansible.builtin.command: cp -r /usr/local/lib/python2.7/dist-packages/backports/ssl_match_hostname/ /usr/lib/python2.7/dist-packages/backports
194 | check_mode: false
195 | tags:
196 | - skip_ansible_lint
197 |
198 | - name: Workaround for issue - No module named shutil_get_terminal_size (Python 2.7)
199 | when:
200 | - docker_x_shutil_get_terminal_size | bool
201 | - not _docker_python3 | bool
202 | - _docker_additional_packages_pip | length > 0
203 | block:
204 | - name: Test if module shutil_get_terminal_size exists
205 | ansible.builtin.command: python -c "import backports.shutil_get_terminal_size"
206 | register: _docker_check_shutil
207 | changed_when: _docker_check_shutil.rc == 1
208 | failed_when: _docker_check_shutil.rc > 1
209 | tags:
210 | - skip_ansible_lint
211 |
212 | - name: Apply workaround for issue - No module named shutil_get_terminal_size (Python 2.7)
213 | when: _docker_check_shutil is changed
214 | become: true
215 | ansible.builtin.command: cp -r /usr/local/lib/python2.7/dist-packages/backports/shutil_get_terminal_size/ /usr/lib/python2.7/dist-packages/backports
216 | check_mode: false
217 | tags:
218 | - skip_ansible_lint
219 |
220 | - name: Gather the package facts
221 | ansible.builtin.package_facts:
222 | manager: auto
223 |
224 | - name: Install docker compose downloaded from Github when Docker CLI plugin package is not available
225 | when:
226 | - docker_compose | bool
227 | - not 'docker-compose-plugin' in ansible_facts.packages
228 | block:
229 | # # Require Python library 'github3'
230 | # - name: Get latest release of docker compose
231 | # community.general.github_release:
232 | # user: docker
233 | # repo: compose
234 | # action: latest_release
235 | # register: _github_docker_compose
236 |
237 | # - name: Set detected docker compose version
238 | # ansible.builtin.set_fact:
239 | # _docker_compose_version: "{{ _github_docker_compose.tag }}"
240 | # when:
241 | # - _github_docker_compose is defined
242 | # - _github_docker_compose.tag is defined
243 |
244 | - name: Get latest release information of docker-compose via GitHub API
245 | ansible.builtin.uri:
246 | url: https://api.github.com/repos/docker/compose/releases/latest
247 | body_format: json
248 | register: _github_docker_compose
249 | until: _github_docker_compose.status == 200 or _github_docker_compose.status == 403
250 | retries: 10
251 | check_mode: false
252 |
253 | - name: Set detected docker compose version
254 | ansible.builtin.set_fact:
255 | _docker_compose_version: "{{ _github_docker_compose.json.tag_name | replace('v', '') }}"
256 | when:
257 | - _github_docker_compose is defined
258 | - _github_docker_compose.status is defined
259 | - _github_docker_compose.status == 200
260 | - _github_docker_compose.json is defined
261 |
262 | - name: Install docker compose (Linux)
263 | when: _docker_compose_version is defined
264 | become: true
265 | ansible.builtin.get_url:
266 | url: "https://github.com/docker/compose/releases/download/\
267 | v{{ _docker_compose_version }}/docker-compose-{{ ansible_system | lower }}-{{ ansible_architecture }}"
268 | checksum: "sha256:https://github.com/docker/compose/releases/download/\
269 | v{{ _docker_compose_version }}/\
270 | docker-compose-{{ ansible_system | lower }}-{{ ansible_architecture }}.sha256"
271 | dest: "{{ docker_cli_plugins_dir[_docker_os_dist_file_varity] }}/docker-compose"
272 | mode: 0755
273 | retries: 10
274 |
275 | # Official installation of docker-compose (Linux): https://docs.docker.com/compose/install/#install-compose
276 | - name: Create docker-compose symlinks for backward compatibility of this role
277 | when:
278 | - docker_compose | bool
279 | block:
280 | - name: Stat docker-compose
281 | ansible.builtin.stat:
282 | path: "{{ docker_cli_plugins_dir[_docker_os_dist_file_varity] }}/docker-compose"
283 | register: _docker_compose_cli_file
284 | check_mode: false
285 |
286 | - name: Create symlink for docker-compose
287 | when: _docker_compose_cli_file.stat.exists
288 | become: true
289 | ansible.builtin.file:
290 | src: "{{ _docker_compose_cli_file.stat.path }}"
291 | dest: /usr/local/bin/docker-compose
292 | state: link
293 | force: true
294 |
295 | - name: Create symlink for docker-compose to work with sudo in some distributions
296 | when: _docker_compose_cli_file.stat.exists
297 | become: true
298 | ansible.builtin.file:
299 | src: "{{ _docker_compose_cli_file.stat.path }}"
300 | dest: /usr/bin/docker-compose
301 | state: link
302 | force: true
303 |
--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
1 | # Changelog
2 |
3 | All notable changes to this project will be documented in this file.
4 |
5 | The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.1.0/)
6 | and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
7 |
8 | ## [Unreleased](../../releases/tag/X.Y.Z)
9 |
10 | ## [6.2.1](../../releases/tag/6.2.1) - 2025-10-04
11 |
12 | ## Fixed
13 |
14 | - Failed to remove packages in Fedora when `docker_remove` and `docker_remove_all` are set to `true` due to package dependency.
15 | - software-properties-common not available on debian 13 ([#183](../../issues/183))
16 |
17 | ## [6.2.0](../../releases/tag/6.2.0) - 2025-09-23
18 |
19 | ## Added
20 |
21 | - Added support for Ubuntu 25 [@HRGCompany] ([#182](../../issues/182))
22 |
23 | ## [6.1.1](../../releases/tag/6.1.1) - 2025-09-01
24 |
25 | ## Fixed
26 |
27 | - Docker removed nightly channel from repo-files ([#181](../../issues/181))
28 |
29 | ## [6.1.0](../../releases/tag/6.1.0) - 2024-12-08
30 |
31 | ## Added
32 |
33 | - Support for DNF 5 in Fedora 41 and later [@wzzrd]
34 | - Added `docker_install_setup_repos_dependencies` for user to disable/enable any handing of dependencies related to repo setup.
35 |
36 | ## Changed
37 |
38 | - Improved handling between different package managers related to RedHat varity (e.g. yum, dnf, dnf5)
39 |
40 | ## Deprecated
41 |
42 | - Support for Python 2
43 | - Support for RHEL 7 and CentOS 7
44 | - Support for ansible-core 2.16
45 | - Linux Mint 18 and 19 in experimental variable `docker_x_mint_ubuntu_mapping`
46 |
47 | ## Internal
48 |
49 | - Commented out and removed config related to testing with additional disk.
50 |
51 | ## [6.0.1](../../releases/tag/6.0.1) - 2024-09-07
52 |
53 | ## Fixed
54 |
55 | - Change repository URL for RHEL to use "rhel" instead of "centos"
56 |
57 | ## [6.0.0](../../releases/tag/6.0.0) - 2024-08-21
58 |
59 | ## Added
60 |
61 | - Added support for Amazon Linux [@palyla]
62 | - Added support to bypass package manager GPG key verification [@palyla]
63 | - Added Linux Mint 22 mapping
64 |
65 | ## Removed
66 |
67 | - Removed support for devicemapper since it was removed from Docker Engine v25.
68 | - Removed support to install Docker Compose via Pip.
69 | - Remove tasks which uninstalls Docker versions before Docker CE
70 | - Removed handling of old Ubuntu and Debian systems systems without SNI
71 | - Removed tasks to handle older Docker CE versions 17 and 18
72 | - Removed task related to compatibility for no longer officially supported distributions since Docker CE 18.09
73 |
74 | ## [5.1.0](../../releases/tag/5.1.0) - 2024-01-27
75 |
76 | ## Added
77 |
78 | - Added support for ARM64 ([#170](../../issues/170))
79 |
80 | ## [5.0.3](../../releases/tag/5.0.2) - 2023-11-29
81 |
82 | ### Fixed
83 |
84 | - Interpolation to determine channel does not work in ansible-core 2.16 ([#169](../../issues/169))
85 |
86 | ## [5.0.2](../../releases/tag/5.0.2) - 2023-09-08
87 |
88 | ### Fixed
89 |
90 | - docker_version does not work as expected ([#168](../../issues/168))
91 |
92 | ## [5.0.1](../../releases/tag/5.0.1) - 2023-07-30
93 |
94 | ### Fixed
95 |
96 | - Changed order of installing additional pip packages ([#166](../../issues/166))
97 |
98 | ## [5.0.0](../../releases/tag/5.0.0) - 2023-05-20
99 |
100 | ### Changed
101 |
102 | - Docker Compose V1 is EOL and this role will no longer support that in general.
103 | - Changed name of `docker_compose_no_pip` to `docker_compose_pip`, default set to `false`.
104 | - `docker_compose` is `true` and `docker_compose_pip` is `false`, it will only create symbolic links (`docker-compose`) for backward compatibility. Docker compose CLI plugin is installed by default now.
105 |
106 | ### Removed
107 |
108 | - Removed variables `docker_compose_no_pip_detect_version` and `docker_compose_no_pip_version`
109 | - Removed Debian 8 bug tweaks.
110 |
111 | ### Internal
112 |
113 | - Updated Vagrantfile for testing to works with AlmaLinux 9 as controller.
114 | - Investigate impact of Docker Compose V2 ([#147](../../issues/147))
115 |
116 | ## [4.0.0](../../releases/tag/4.0.0) - 2022-12-05
117 |
118 | ### Changed
119 |
120 | - Bumped minimal Ansible version to 5.0.0
121 |
122 | ## Fixed
123 |
124 | - Unsupported parameters for (ansible.legacy.command) module: warn ([#160](../../issues/160))
125 |
126 | ## [3.8.0](../../releases/tag/3.8.0) - 2022-10-22
127 |
128 | ## Added
129 |
130 | - Add Linux Mint 21 support. [@alexander-danilenko] ([#156](../../issues/156))
131 | - Abort if podman in detected in the system
132 |
133 | ## Internal
134 |
135 | - Added manuel test related to Docker SDK and PiP
136 | - Added test of docker-compose not using PiP and auto detect version in regression suite
137 |
138 | ## [3.7.2](../../releases/tag/3.7.2) - 2022-04-24
139 |
140 | ## Fixed
141 |
142 | - Docker daemon environment variables not set when SysVinit is used ([#152](../../issues/152))
143 |
144 | ## [3.7.1](../../releases/tag/3.7.1) - 2022-04-24
145 |
146 | ## Fixed
147 |
148 | - Upgrade of docker-compose fails when fetching latest version from Github API ([#151](../../issues/151))
149 | - Service module fail on WSL2 with Ubuntu 20.04 ([#150](../../issues/150))
150 |
151 | ## [3.7.0](../../releases/tag/3.7.0) - 2022-02-05
152 |
153 | ## Added
154 |
155 | - Support for CentOS Stream 8
156 |
157 | ## Internal
158 |
159 | - Update of test configuration.
160 | - Updated Docker CE support matrix.
161 |
162 | ## [3.6.1](../../releases/tag/3.6.1) - 2021-12-29
163 |
164 | ## Fixed
165 |
166 | - Fix broken Linux Mint 19 + 20 ([#144](../../pull/144))
167 |
168 | ## Internal
169 |
170 | - Minor refactoring of test configuration.
171 |
172 | ## [3.6.0](../../releases/tag/3.6.0) - 2021-11-07
173 |
174 | ## Added
175 |
176 | - Added support for Rocky Linux 8
177 |
178 | ## Fixed
179 |
180 | - Docker restart fails after OPA authz plugin installation on Ubuntu 20.04 ([#143](../../issues/143))
181 | - Docker plugin install seems to be missing "item.args" ([#142](../../issues/142))
182 |
183 | ## Internal
184 |
185 | - Rocky Linux 8 included in regressiontesting.
186 |
187 | ## [3.5.0](../../releases/tag/3.5.0) - 2021-10-30
188 |
189 | ### Added
190 |
191 | - Add support for RHEL7 ppc64le architecture [@DimaShmu] ([#140](../../issues/140))
192 |
193 | ## [3.4.1](../../releases/tag/3.4.1) - 2021-08-09
194 |
195 | ### Fixed
196 |
197 | - Error when creating docker-compose symlink when file is present at path
198 |
199 | ## [3.4.0](../../releases/tag/3.4.0) - 2021-06-28
200 |
201 | ### Changed
202 |
203 | - Add support to upgrade/downgrade docker-compose (binary version) ([#138](../../issues/138))
204 | - Bumped minimum Ansible version to 2.10 in role meta information
205 |
206 | ### Fixed
207 |
208 | - Bumped docker-compose version from 1.29.1 to 1.29.2 (`docker_compose_no_pip_version`)
209 | - Failed execution during removal of Docker CE and related files
210 |
211 | ### Internal
212 |
213 | - Restructure of test cases
214 | - Bumped Ansible version to 2.10.7 meaning regression testing is no longer done on versions below 2.10
215 |
216 | ## [3.3.2](../../releases/tag/3.3.2) - 2021-04-17
217 |
218 | ### Fixed
219 |
220 | - Python docker version 5 Drops support for Python 2 ([#136](../../issues/136))
221 | - Bumped non-Python version of docker-compose from 1.27.4 to 1.29.1
222 | - Fixed Ansible linting warnings related to rule 208
223 |
224 | ### Internal
225 |
226 | - Bumped ansible version to 2.9.20 which is used for regression testing
227 |
228 | ## [3.3.1](../../releases/tag/3.3.1) - 2021-02-21
229 |
230 | ### Fixed
231 |
232 | - Version 3.3.0 forces pip upgrades on RHEL8 ([#135](../../issues/135))
233 |
234 | ### Changed
235 |
236 | - Cleaned out old compatibility check related to Debian 7
237 |
238 | ## [3.3.0](../../releases/tag/3.3.0) - 2021-02-16
239 |
240 | ### Added
241 |
242 | - Add support for AlmaLinux 8 ([#133](../../issues/133))
243 |
244 | ### Fixed
245 |
246 | - PiP upgrade no longer works for Python 2 ([#134](../../issues/134))
247 |
248 | ## [3.2.1](../../releases/tag/3.2.1) - 2020-12-21
249 |
250 | ### Changed
251 |
252 | - Bumped docker-compose version to 1.27.4
253 |
254 | ## [3.2.0](../../releases/tag/3.2.0) - 2020-11-16
255 |
256 | ### Changed
257 |
258 | - Review code around Docker plugin handling ([#132](../../issues/132))
259 |
260 | ### Fixed
261 |
262 | - Docker daemon is not restarted on configuration change when already started. Fixed by changes in #132.
263 |
264 | ### Internal
265 |
266 | - Readme file in tests directory updated
267 | - Updated tests to use Ansible 2.9.15
268 |
269 | ## [3.1.2](../../releases/tag/3.1.2) - 2020-11-07
270 |
271 | ### Fixed
272 |
273 | - Centos8: Issues when trying to install plugins ([#131](../../issues/131))
274 |
275 | ## [3.1.1](../../releases/tag/3.1.1) - 2020-10-23
276 |
277 | ### Fixed
278 |
279 | - WSL2: Failing to check docker daemon status ([#127](../../issues/127))
280 |
281 | ## [3.1.0](../../releases/tag/3.1.0) - 2020-10-09
282 |
283 | ### Changed
284 |
285 | - Pip install on RHEL 7 and 8 ([#125](../../issues/125))
286 |
287 | ### Fixed
288 |
289 | - Fails on RHEL 7 because $releasever is set to 7Server ([#126](../../issues/126))
290 | - Tasks related to removal uses yum instead of dnf for RHEL 8 ([#124](../../issues/124))
291 |
292 | ## [3.0.0](../../releases/tag/3.0.0) - 2020-10-07
293 |
294 | ### Changed
295 |
296 | - Support for Ansible 2.8 dropped, increased to 2.9. Future changes might break compatibility.
297 | - containerd for CentOS/RHEL 8 update to version 1.2.13-3.2
298 | - Experimental switch `docker_x_redhat_centos_8_workaround` now defaults to `no`
299 | since it seems to now be available in CentOS/RHEL 8 repo: https://github.com/docker/for-linux/issues/873
300 |
301 | ### Fixed
302 |
303 | - RHEL8 install fails due to missing docker-ce-edge repository ([#123](../../issues/123))
304 |
305 | ### Removed
306 |
307 | - Remove handling of deprecated variable docker_pkg_name ([#85](../../issues/85))
308 | - Remove handling of deprecated variable docker_enable_ce_edge ([#83](../../issues/83))
309 |
310 | ## [2.7.0](../../releases/tag/2.7.0) - 2020-08-09
311 |
312 | ### Changed
313 |
314 | - Update default docker-compose version to 1.26.2
315 | - Changed `docker_x_ssl_match_hostname` to true and detection if missing
316 |
317 | ### Fixed
318 |
319 | - No module named shutil_get_terminal_size ([#121](../../issues/121))
320 |
321 | ### Added
322 |
323 | - Add missing audit rules which are defined in CIS Docker Benchmark 1.2.0 ([#120](../../issues/120))
324 |
325 | ## [2.6.6](../../releases/tag/2.6.6) - 2020-07-19
326 |
327 | ### Fixed
328 |
329 | - No package matching '' is available ([#119](../../issues/119))
330 |
331 | ## [2.6.5](../../releases/tag/2.6.5) - 2020-07-04
332 |
333 | ### Fixed
334 |
335 | - Missing dependency zipp for installed docker-compose using PiP ([#112](../../issues/112))
336 |
337 | ## [2.6.4](../../releases/tag/2.6.4) - 2020-06-27
338 |
339 | ### Changed
340 |
341 | - Updated default docker-compose version to 1.26.0
342 |
343 | ## [2.6.3](../../releases/tag/2.6.3) - 2020-05-02
344 |
345 | ### Changed
346 |
347 | - Minimum supported Ansible version increased to 2.8.
348 | - Update default docker-compose version to 1.25.5 ([#114](../../issues/114))
349 | - Improve/Refactor handling related to postinstall steps and PiP ([#115](../../issues/115))
350 |
351 | ### Fixed
352 |
353 | - Fix python3 reference in tasks/postinstall.yml ([#117](../../issues/117))
354 |
355 | ### Internal
356 |
357 | - Improved testing to get it more stable when reboots are required
358 | - Docker run throws error on Fedora 31 ([#116](../../issues/116))
359 |
360 | ## [2.6.2](../../releases/tag/2.6.2) - 2019-12-04
361 |
362 | ### Fixed
363 |
364 | - Docker CE package fails to install on CentOS 8 ([#110](../../issues/110))
365 |
366 | ## [2.6.1](../../releases/tag/2.6.1) - 2019-08-13
367 |
368 | ### Fixed
369 |
370 | - EPEL repo shall not be installed when docker_setup_repos is false
371 |
372 | ## [2.6.0](../../releases/tag/2.6.0) - 2019-08-10
373 |
374 | ### Added
375 |
376 | - Add support to disable setup of apt/dnf/apt repos ([#109](../../issues/109))
377 |
378 | ## [2.5.2](../../releases/tag/2.5.2) - 2019-08-02
379 |
380 | ### Fixed
381 |
382 | - Error in apt_repository on Ubuntu 19.04 (Disco Dingo) ([#108](../../issues/108))
383 | - 19.03 fails on Fedora 28 - write /proc/self/attr/keycreate: permission denied ([#107](../../issues/107))
384 | - Ubuntu 17.10 Artful is not handled correctly ([#104](../../issues/104))
385 | - Updated default value for docker-compose version to 1.24.1
386 |
387 | ### Internal
388 |
389 | - Added automated test for Ubuntu 19.04 Disco Dingo
390 | - Removed Ubuntu 14.04 Trusty Tahr from automated tests
391 | - Updated tests to not use deprecated configuration which was now removed in 19.03 ([#105](../../issues/105))
392 |
393 | ## [2.5.1](../../releases/tag/2.5.1) - 2019-07-16
394 |
395 | ### Fixed
396 |
397 | - Major version comparison fails for some tasks due to non-numeric value ([#103](../../issues/103))
398 | - Docker compose fails on Debian 10 (Buster) ([#102](../../issues/102))
399 |
400 | ## [2.5.0](../../releases/tag/2.5.0) - 2019-07-14
401 |
402 | ### Added
403 |
404 | - Added initial basic support for Raspbian
405 |
406 | ### Fixed
407 |
408 | - Migrating from with_X to loop ([#100](../../issues/100))
409 | - Install of authz plugins does not update daemon config ([#99](../../issues/99))
410 | - Failure on Fedora 30 ([#93](../../issues/93))
411 |
412 | ### Internal
413 |
414 | - Updated experimental CIS test.
415 |
416 | ## [2.4.1](../../releases/tag/2.4.1) - 2019-06-06
417 |
418 | ### Fixed
419 |
420 | - RHEL: subscription-manager uses network when docker_network_access is set to false ([#98](../../issues/98))
421 |
422 | ## [2.4.0](../../releases/tag/2.4.0) - 2019-06-05
423 |
424 | ### Added
425 |
426 | - Experimental configuration (`docker_network_access`) to not access network during run
427 |
428 | ### Changed
429 |
430 | - Many deprecation warnings in Ansible 2.8 ([#94](../../issues/94))
431 | - Improve handling of Python 3 ([#95](../../issues/95))
432 | - RHEL: handling repos NOT via subscription-manager ([#96](../../issues/96))
433 | - Role name changed due to automatic conversion of hyphen to underscore in Ansible Galaxy
434 |
435 | ### Fixed
436 |
437 | - api.github.com limits on number of requests causes the request to fail ([#87](../../issues/87))
438 | - RHEL, role fails to remove "pre-docker-ce" packages ([#92](../../issues/92))
439 | - Install of Docker SDK fails on RHEL (not supported by this role) ([#97](../../issues/97))
440 |
441 | ### Internal
442 |
443 | - Preparations for doing automated tests with RHEL 7
444 | - Increase Ansible version to 2.6.16
445 | - Preparations for better handling of Python 3 in test suites
446 | - Removed Debian 7 Wheezy from tests due to APT repository EOLs etc
447 |
448 | ## [2.3.0](../../releases/tag/2.3.0) - 2019-03-11
449 |
450 | ### Fixes
451 |
452 | - APT repository setup fails on Debian Buster 10 ([#88](../../issues/88))
453 |
454 | ### Added
455 |
456 | - Added `postinstall` tag
457 |
458 | ### Changed
459 |
460 | - Deprecation warning about filters in Ansible 2.5 ([#40](../../issues/40))
461 |
462 | ### Internal
463 |
464 | - Updated regression test baseline to Ansible 2.5
465 | - Refactored setup of repository to reduce number of skipped tasks
466 | - Refactored distribution check tasks
467 | - Added regression tests
468 |
469 | ## [2.2.0](../../releases/tag/2.2.0) - 2019-02-10
470 |
471 | ### Added
472 |
473 | - Support removal of Docker CE packages and related configuration ([#82](../../issues/82))
474 | - Replace docker_pkg_name with docker_version ([#86](../../issues/86))
475 |
476 | ### Deprecated
477 |
478 | - Variable `docker_remove_pre_ce` will be removed in future major release ([#80](../../issues/80))
479 | - Variable `docker_pkg_name` will be removed in future major release ([#86](../../issues/86))
480 |
481 | ## [2.1.1](../../releases/tag/2.1.1) - 2019-02-01
482 |
483 | ### Fixed
484 |
485 | - Changing Docker repository channel does not work ([#79](../../issues/79))
486 |
487 | ## [2.1.0](../../releases/tag/2.1.0) - 2019-01-19
488 |
489 | ### Added
490 |
491 | - Initial support for installation of Docker plugins ([#78](../../issues/78))
492 |
493 | ### Internal
494 |
495 | - Some adjustments to what is included in regression test suite
496 | - Devicemapper regression tests fail with Docker 18.09 ([#69](../../issues/69))
497 | - Docker CE matrix added to see distribution support
498 |
499 | ## [2.0.0](../../releases/tag/2.0.0) - 2019-01-03
500 |
501 | ### Added
502 |
503 | - Improve use of --check ([#72](../../issues/72))
504 | - Add more advanced options to control PiP package installation ([#73](../../issues/73))
505 | - Flag to disable compatibility and distribution checks
506 | - python-pip-whl is required in Debian 8 to install via PiP
507 |
508 | ### Changed
509 |
510 | - Docker 18.09 fails to create containers when MountFlags=slave is set ([#76](../../issues/76))
511 |
512 | ### Fixed
513 |
514 | - Non-systemd environment variables are not correctly set since version 1.11.0 of this role ([#74](../../issues/74))
515 | - Some variables lives on between plays which cause unexpected behavior ([#75](../../issues/75))
516 | - docker-compose does not work with sudo ([#77](../../issues/77))
517 |
518 | ### Internal
519 |
520 | - Refactored automated tests to now execute Ansible from separate node due to issues
521 | with VirualBox guest additions from time to time.
522 | - Fixed issues reported by Ansible-lint
523 |
524 | ## [1.11.3](../../releases/tag/1.11.3) - 2018-12-11
525 |
526 | ### Fixed
527 |
528 | - python-pip is always installed ([#71](../../issues/71))
529 |
530 | ## [1.11.2](../../releases/tag/1.11.2) - 2018-12-11
531 |
532 | ### Fixed
533 |
534 | - docker_compose_no_pip only works in Ansible 2.7 or later ([#68](../../issues/68))
535 | - Pip not installed before use of pip module ([#70](../../issues/70))
536 |
537 | ## [1.11.1](../../releases/tag/1.11.1) - 2018-12-03
538 |
539 | ### Fixed
540 |
541 | - Docker compose is installed via PiP even when docker_compose_no_pip is set to true ([#68](../../issues/68))
542 |
543 | ## [1.11.0](../../releases/tag/1.11.0) - 2018-12-01
544 |
545 | ### Added
546 |
547 | - Identify systemd support even in check mode ([#66](../../issues/66))
548 |
549 | ### Internal
550 |
551 | - Ansible-lint with Ansible Galaxy rules report problems ([#67](../../issues/67))
552 | - Fixed issues with missing Fedora images at vagrantup.com
553 |
554 | ## [1.10.0](../../releases/tag/1.10.0) - 2018-11-05
555 |
556 | ### Added
557 |
558 | - Add support for Debian 7 (Wheezy) ([#64](../../issues/64))
559 |
560 | ### Fixed
561 |
562 | - Docker startup fails in Fedora 28 because it cannot find pvcreate ([#58](../../issues/58))
563 | - LVM2 package is required to be installed when devicemapper is used ([#61](../../issues/61))
564 | - docker-compose won't install ([#62](../../issues/62))
565 | - Revisit install of docker-compose ([#63](../../issues/63))
566 |
567 | ### Internal
568 |
569 | - Testing: Snapshotting used during testing by `test.sh` to speed up by avoiding unnecessary installs of Ansible and guest additions
570 | - Add Fedora distributions to test suite ([#57](../../issues/57))
571 | - Fails to install VirtualBox guest additions on Fedora 29 beta ([#59](../../issues/59))
572 | - Replace currently used Vagrant boxes during testing with more official boxes ([#60](../../issues/60))
573 |
574 | ## [1.9.0](../../releases/tag/1.9.0) - 2018-10-24
575 |
576 | ### Added
577 |
578 | - Add support to allow users to be added to the docker group ([#53](../../issues/53))
579 | - Add support to select different Docker repository channels ([#55](../../issues/55))
580 |
581 | ### Deprecated
582 |
583 | - Variable `docker_enable_ce_edge` will be removed because Docker no longer provide edge releases ([#54](../../issues/54))
584 |
585 | ## [1.8.0](../../releases/tag/1.8.0) - 2018-10-14
586 |
587 | ### Added
588 |
589 | - Add support to install Docker Ansible module dependencies ([#48](../../issues/48))
590 | - Add support to install packages after install via PiP or OS package manager ([#49](../../issues/49))
591 |
592 | ### Internal
593 |
594 | - Testing: Improved structure in `vagrant_config.yml` for `test.sh`
595 | - Testing: Improved `test.sh` with better limit functionality
596 |
597 | ### Fixed
598 |
599 | - auditd is installed even if docker_enable_audit set to false ([#50](../../issues/50))
600 | - Cannot use dm.directlvm_device in Debian 8 ([#51](../../issues/51))
601 | - Update repository cache fails on Fedora ([#52](../../issues/52))
602 |
603 | ## [1.7.2](../../releases/tag/1.7.2) - 2018-09-27
604 |
605 | ### Fixed
606 |
607 | - Python 3 forward compatibility ([#47](../../issues/47))
608 |
609 | ## [1.7.1](../../releases/tag/1.7.1) - 2018-07-08
610 |
611 | ### Fixed
612 |
613 | - Ansible Galaxy linting report error during import ([#45](../../issues/45))
614 | - null written to /etc/docker/daemon.json ([#46](../../issues/46))
615 |
616 | ## [1.7.0](../../releases/tag/1.7.0) - 2018-07-08
617 |
618 | ### Added
619 |
620 | - Add support to add environment variables to Docker daemon ([#43](../../issues/43))
621 | - Add support to add systemd configuration options to Docker service ([#44](../../issues/44))
622 |
623 | ### Fixed
624 |
625 | - systemctl daemon-reload is not run when toggling docker_enable_mount_flag_fix ([#39](../../issues/39))
626 | - Role is not idempotent for Ubuntu and Debian distributions ([#41](../../issues/41))
627 | - Cannot set hosts in daemon.json because of arguments to dockerd in Ubuntu/Debian ([#42](../../issues/42))
628 |
629 | ## [1.6.0](../../releases/tag/1.6.0) - 2018-06-07
630 |
631 | ### Changed
632 |
633 | - Deprecation warning about include in Ansible 2.4 ([#12](../../issues/12))
634 |
635 | ## [1.5.0](../../releases/tag/1.5.0) - 2018-05-02
636 |
637 | ### Added
638 |
639 | - Add tags to either install or just configure Docker ([#37](../../issues/37))
640 |
641 | ## [1.4.0](../../releases/tag/1.4.0) - 2018-04-14
642 |
643 | ### Added
644 |
645 | - Introduce flag to disable mount flag fix and addition of compatibility check [@jamiejackson] ([#35](../../issues/35))
646 |
647 | ## [1.3.2](../../releases/tag/1.3.2) - 2018-02-07
648 |
649 | ### Fixed
650 |
651 | - RedHat: breaks when rhel-7-server-rt-beta-rpms isn't listed; check [@jamiejackson] ([#29](../../issues/29))
652 |
653 | ## [1.3.1](../../releases/tag/1.3.1) - 2018-02-01
654 |
655 | ### Fixed
656 |
657 | - Install failed on CentOS because of newly added RedHat support ([#28](../../issues/28))
658 |
659 | ## [1.3.0](../../releases/tag/1.3.0) - 2018-01-28
660 |
661 | ### Added
662 |
663 | - Support for RedHat [@jamiejackson] ([#26](../../issues/26))
664 |
665 | ## [1.2.0](../../releases/tag/1.2.0) - 2017-12-08
666 |
667 | ### Added
668 |
669 | - Add support to specify specific Docker version ([#21](../../issues/21))
670 | - Support for Linux Mint ([#24](../../issues/24))
671 |
672 | ## [1.1.0](../../releases/tag/1.1.0) - 2017-11-06
673 |
674 | ### Added
675 |
676 | - Add support to ensure Docker is not upgraded ([#17](../../issues/17))
677 | - Support for Ubuntu and Debian ([#20](../../issues/20))
678 |
679 | ### Changed
680 |
681 | - Refactoring of tasks ([#19](../../issues/19))
682 |
683 | ### Fixed
684 |
685 | - /proc/sys/fs/may_detach_mounts does not exists in all kernel 3.10 versions ([#18](../../issues/18))
686 | - auditd does not apply all rules after reboot because of rule errors ([#16](../../issues/16))
687 |
688 | ## [1.0.1](../../releases/tag/1.0.1) - 2017-10-22
689 |
690 | ### Fixed
691 |
692 | - Kernel parameter fs.may_detach_mounts is necessary even if mount flag is set to slave ([#13](../../issues/13))
693 |
694 | ## [1.0.0](../../releases/tag/1.0.0) - 2017-10-17
695 |
696 | ### Removed
697 |
698 | - Removed support to setup devicemapper using container-storage-setup ([#10](../../issues/10))
699 |
700 | ## [0.4.3](../../releases/tag/0.4.3) - 2017-09-26
701 |
702 | ### Fixed
703 |
704 | - MountFlags "slave" helps to prevent "device busy" errors on RHEL/CentOS 7.3 kernels [@jgagnon1] ([#11](../../issues/11))
705 |
706 | ## [0.4.2](../../releases/tag/0.4.2) - 2017-08-13
707 |
708 | ### Fixed
709 |
710 | - Docker fails to setup subgid and subuid in CentOS 7.3.1611 ([#9](../../issues/9))
711 |
712 | ### Deprecated
713 |
714 | - Functionallity related to `docker_setup_devicemapper`. Similar support now available in Docker v17.06.
715 |
716 | ## [0.4.1](../../releases/tag/0.4.1) - 2017-07-21
717 |
718 | ### Fixed
719 |
720 | - Missing docker.service.d directory ([#6](../../issues/6))
721 |
722 | ## [0.4.0](../../releases/tag/0.4.0) - 2017-06-30
723 |
724 | ### Added
725 |
726 | - Add configuration option for adding audit rules for Docker compliant with CIS 1.13 ([#5](../../issues/5))
727 |
728 | ## [0.3.0](../../releases/tag/0.3.0) - 2017-06-28
729 |
730 | ### Added
731 |
732 | - Add configuration support to enable Docker CE Edge versions ([#3](../../issues/3))
733 | - Add simple support to setup devicemapper using container-storage-setup ([#4](../../issues/4))
734 |
735 | ## [0.2.0](../../releases/tag/0.2.0) - 2017-05-25
736 |
737 | ### Fixed
738 |
739 | - Task "Configure Docker daemon" fails because of missing directory ([#2](../../issues/2))
740 |
741 | ### Added
742 |
743 | - Add support to specify daemon.json file to copy ([#1](../../issues/1))
744 |
745 | ## [0.1.0](../../releases/tag/0.1.0) - 2017-05-01
746 |
747 | ### Added
748 |
749 | - Support to remove pre Docker CE versions
750 | - Basic configuration support for Docker daemon
751 |
--------------------------------------------------------------------------------