-
Installs Docker Community Edition (CE) on CentOS 7
-
Pre-configured with user namespaces for increased security.
- NOTE: reboot is required to activate kernel changes.
- After user namespaces are enabled, host bind mounts will no longer work
- Containers will be unable to bind to Docker engine on local UNIX socket; specifically affects managment tools like Portainer; workaround is to configure Docker engine with TLS
-
Generates TLS certificates and secures Docker engine:
- Requires Galaxy role easypath.generate-tls-certs
- Configures Docker client to connect using TLS by default, otherwise need to specify TLS cert and key everytime running
dockercommand; configured per profile and requires client certificate, see here for more info) - After configuring TLS, no longer need to prefix
dockercommands withsudo
-
Docker engine binds new containers to localhost by default if no IP is specified
-
Configures Docker Swarm-related firewalld rules
- See
defaults/main.yml
- hosts: all
vars_prompt:
- name: "generate_tls_certs"
prompt: "> Generate TLS certificates and keys? WARNING: re-running this will overwrite any existing certs and keys!"
private: no
default: false
- name: "config_tls"
prompt: "> Configure Docker engine for TLS?"
private: no
default: false
- name: "config_swarm_fw"
prompt: "> Configure firewall rules for Docker Swarm?"
private: no
default: true
- name: "reboot_server"
prompt: "> Reboot server after setup? Required to activate kernel changes."
private: no
default: false
tasks:
- name: Install Docker
import_role:
name: docker-host
- name: Reboot server (required to activate kernel changes)
command: reboot
become: yes
when: reboot_server|bool
BSD