首頁 探索 說明
登入
blaine
/
infra
1
0
複刻 0
檔案 問題管理 0 合併請求 0 Wiki
目錄樹: 1e1f6dcb78
分支列表 標籤列表
infra
/
roles
/
docker
Blaine Story 649657ed55 update syntax docker pull checks for 1 年之前
..
defaults f9108e08b7 add default firewall_ports to docker role 2 年之前
handlers b5f6cf74a2 add docker role 3 年之前
tasks 6538754c50 update docker role to work with CentOS Stream 9 2 年之前
templates 649657ed55 update syntax docker pull checks for 1 年之前
.travis.yml b5f6cf74a2 add docker role 3 年之前
readme.md cc2975ad7e update docker readme 3 年之前

readme.md

docker

This role will install Docker and given a list of containers to deploy, will do the following:

  1. Create needed docker networks
  2. Open up necessary firewall ports
  3. Generate docker-compose files (1 per container)
  4. Ensure container user/group exists
  5. Ensure container persistent directories exist with correct perms and SELinux contexts
  6. Generate a systemd service file per container
  7. Setup systemd timers to automatically pull new and purge old container images

Requirements

This role is only tested on Fedora/CentOS machines.

Variables

container_user: user name to run containers as (will be generated if not exists)
container_uid: uid of above user name
container_group: group name of container_user (will be generated if not exists)
container_gid: gid of above group name

Automated pulls and purges are handled by systemd timers. Any valid systemd timer calendar event expression may be passed to them:

docker_pull_timer: weekly
docker_purge_timer: monthly

global_env_vars: # will be set on any container which has include_global_env_vars: true
  - PUID={{ container_uid }}
  - PGID={{ container_gid }}
  - TZ=America/Los_Angeles

firewall_ports: # list of ports to open up on the host
  - 80/tcp
  - 443/tcp

Since this role sets up each container individually, if multiple containers need to talk directly to each other container networks must be outlined:

This role sets up each container as an individual docker-compose.yml file with a 1-to-1 relationship with it's systemd service. This means we can not rely on docker-compose's built-in networking feature for connecting multiple containers together.

Outline any networks you need via container_networks:

container_networks:
  - name: nginx-proxy
    driver: bridge
    subnet: 172.21.10.0/24
    ip_range: 172.21.10.0/24
    gateway: 172.21.10.1

And specify those networks in the corresponding container's dictionary:

containers:
  - name: swag
    active: true
    image: linuxserver/swag
    ports:
      - 80:80
      - 443:443
    volumes:
      - /opt/swag:/config
    include_global_env_vars: true
    environment:
      - URL=myexamplesite.biz
      - VALIDATION=http
      - SUBDOMAINS=www,git,
      - EMAIL=admin@myexamplesite.biz
    restart: unless-stopped
    memlimit: 300m
    networks:
      - nginx-proxy

    - name: gogs
      active: true
      image: gogs/gogs
      ports:
        - "10022:22" # https://github.com/go-yaml/yaml/issues/34#issuecomment-55772666
      volumes:
        - /opt/gogs:/data
      include_global_env_vars: false
      restart: unless-stopped
      memlimit: 500m
      networks:
        - nginx-proxy

Usage

This role creates docker-compose.yml files for each entry in the list of containers under the filename:
/root/docker/<name>/docker-compose.yml

It also generates systemd services files of the name:
/etc/systemd/system/<name>.service

This file is a simple wrapper around docker-compose:

[root@shareunderware ~]# systemctl cat swag.service
# /etc/systemd/system/swag.service
# This file is managed by Ansible. Any local changes may be wiped out!
[Unit]
Description=systemd wrapper around docker swag service
Requires=docker.service
After=docker.service

[Service]
Restart=always
User=root
Group=docker

ExecStartPre=/usr/bin/docker-compose -f /root/docker/swag/docker-compose.yml down -v
ExecStart=/usr/bin/docker-compose -f /root/docker/swag/docker-compose.yml up
ExecStop=/usr/bin/docker-compose -f /root/docker/swag/docker-compose.yml down -v

[Install]
WantedBy=multi-user.target

This method allows the logs to be captured via journald and can be queried just like any other service:

[root@shareunderware ~]# journalctl -fu swag.service 
Apr 25 04:20:59 shareunderware docker-compose[1956]: swag    | [cont-init.d] 70-templates: exited 0.
Apr 25 04:20:59 shareunderware docker-compose[1956]: swag    | [cont-init.d] 90-custom-folders: executing...
Apr 25 04:20:59 shareunderware docker-compose[1956]: swag    | [cont-init.d] 90-custom-folders: exited 0.
Apr 25 04:20:59 shareunderware docker-compose[1956]: swag    | [cont-init.d] 99-custom-files: executing...
Apr 25 04:20:59 shareunderware docker-compose[1956]: swag    | [custom-init] no custom files found exiting...
Apr 25 04:20:59 shareunderware docker-compose[1956]: swag    | [cont-init.d] 99-custom-files: exited 0.
Apr 25 04:20:59 shareunderware docker-compose[1956]: swag    | [cont-init.d] done.
Apr 25 04:20:59 shareunderware docker-compose[1956]: swag    | [services.d] starting services
Apr 25 04:20:59 shareunderware docker-compose[1956]: swag    | [services.d] done.
Apr 25 04:21:03 shareunderware docker-compose[1956]: swag    | Server ready

License

GPLv3