search

konstruktoid / ansible-role-docker-rootless

Ansible role to install a rootless Docker server
Apache License 2.0
68 stars 22 forks source link

RootlessKit network and port driver config #432

Closed msladek closed 3 months ago

msladek commented 3 months ago

https://github.com/konstruktoid/ansible-role-docker-rootless/issues/426

konstruktoid commented 3 months ago 
diff --git a/README.md b/README.md
index 593f87f..2f842f7 100644
--- a/README.md
+++ b/README.md
@@ -136,7 +136,7 @@ The `docker_allow_ping` variable configures if unprivileged users can open
 On some distributions, this is not allowed, and thereby containers cannot ping
 to the outside.

-The `docker_driver_network` and `docker_driver_port` variables configure RootlessKit's
+The `docker_driver_network` and `docker_driver_port` variables configure RootlessKit's
 [network driver](https://github.com/rootless-containers/rootlesskit/blob/master/docs/network.md) or
 [port driver](https://github.com/rootless-containers/rootlesskit/blob/master/docs/port.md),
 respectively. This is useful for
diff --git a/tasks/docker_service.yml b/tasks/docker_service.yml
index 9e9fbbe..ea917e2 100644
--- a/tasks/docker_service.yml
+++ b/tasks/docker_service.yml
@@ -1,12 +1,13 @@
+---
 - name: Configure Docker network/port drivers
   become: true
   become_user: "{{ docker_user }}"
   ansible.builtin.lineinfile:
     dest: "{{ docker_user_info.home }}/.config/systemd/user/docker.service"
-    insertafter: '\[Service\]'
+    insertafter: \[Service\]
     firstmatch: true
-    regexp: "^Environment=\"{{ item.key }}="
-    line: "Environment=\"{{ item.key }}={{ item.value }}\""
+    regexp: ^Environment="{{ item.key }}=
+    line: Environment="{{ item.key }}={{ item.value }}"
   loop:
     - key: DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER
       value: "{{ docker_driver_port }}"
konstruktoid commented 3 months ago

Thanks @msladek! A couple of issues, see above.

msladek commented 3 months ago

@konstruktoid The patch is applied. Regarding the test failure, do you have more detailed info on what's not idempotent about the two tasks? I cannot get the molecule vagrant tests to run on my end.

konstruktoid commented 3 months ago

Seems the environment variable an set/unset in dockerd-rootless.sh.

TASK [ansible-role-docker-rootless : Configure Docker network/port drivers] ****
changed: [jammy] => (item={'key': 'DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER', 'value': 'builtin'})
changed: [focal] => (item={'key': 'DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER', 'value': 'builtin'})
ok: [focalroot] => (item={'key': 'DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER', 'value': 'builtin'})
changed: [bookworm] => (item={'key': 'DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER', 'value': 'builtin'})
changed: [debiantesting] => (item={'key': 'DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER', 'value': 'builtin'})
ok: [almalinux9] => (item={'key': 'DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER', 'value': 'builtin'})
ok: [focalroot] => (item={'key': 'DOCKERD_ROOTLESS_ROOTLESSKIT_NET', 'value': 'slirp4netns'})
changed: [focal] => (item={'key': 'DOCKERD_ROOTLESS_ROOTLESSKIT_NET', 'value': 'slirp4netns'})
changed: [jammy] => (item={'key': 'DOCKERD_ROOTLESS_ROOTLESSKIT_NET', 'value': 'slirp4netns'})
changed: [bookworm] => (item={'key': 'DOCKERD_ROOTLESS_ROOTLESSKIT_NET', 'value': 'slirp4netns'})
changed: [debiantesting] => (item={'key': 'DOCKERD_ROOTLESS_ROOTLESSKIT_NET', 'value': 'slirp4netns'})
ok: [almalinux9] => (item={'key': 'DOCKERD_ROOTLESS_ROOTLESSKIT_NET', 'value': 'slirp4netns'})
~$ cat  /home/jammyuser/.config/systemd/user/docker.service
# Ansible managed: Do NOT edit this file manually!
# Generated by Ansible role ansible-role-docker-rootless

[Unit]
Description=Docker Application Container Engine (Rootless)
Documentation=https://docs.docker.com/engine/security/rootless/

[Service]
Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_NET=slirp4netns"
Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=builtin"
Environment="DOCKER_HOST=unix:///run/user/1001/docker.sock"
Environment="PATH=/home/jammyuser/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Environment="XDG_RUNTIME_DIR=/run/user/1001"
ExecStart=/home/jammyuser/bin/dockerd-rootless.sh
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
StartLimitBurst=3
StartLimitInterval=60s
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
Delegate=yes
Type=simple
KillMode=mixed

[Install]
WantedBy=default.target
~$ sha1sum $HOME/.config/systemd/user/docker.service*
14ce954549826e23a7134bc316f528c1e3ffeb83  /home/jammyuser/.config/systemd/user/docker.service
14ce954549826e23a7134bc316f528c1e3ffeb83  /home/jammyuser/.config/systemd/user/docker.service.4084.2024-08-12@17:15:58~
14ce954549826e23a7134bc316f528c1e3ffeb83  /home/jammyuser/.config/systemd/user/docker.service.5903.2024-08-12@17:29:01~
konstruktoid commented 3 months ago

https://github.com/moby/moby/blob/master/contrib/dockerd-rootless.sh#L20-L26

msladek commented 3 months ago

Thanks for the details! Moved the config to the override.conf, hope that resolves the issues.

konstruktoid commented 3 months ago 
docker.service - Docker Application Container Engine (Rootless)
     Loaded: loaded (/home/jammyuser/.config/systemd/user/docker.service; enabled; vendor preset: enabled)
    Drop-In: /home/jammyuser/.config/systemd/user/docker.service.d
             └─override.conf
konstruktoid commented 3 months ago

Thanks @msladek!

msladek commented 3 months ago

Awesome, thanks for the merge @konstruktoid!