Merge pull request #432 from msladek/feature/network-driver

RootlessKit network and port driver config
konstruktoid · Aug 14, 2024 · 67173ce · 67173ce
2 parents 9b18cd4 + 1dbc35f
commit 67173ce
Show file tree

Hide file tree

Showing 6 changed files with 57 additions and 21 deletions.
diff --git a/README.md b/README.md
@@ -52,6 +52,8 @@ docker_compose_release: v2.29.1
 docker_compose_release_shasum: 5ea89dd65d33912a83737d8a4bf070d5de534a32b8493a21fbefc924484786a9
 docker_compose_url: https://github.com/docker/compose/releases/download
 docker_daemon_json_template: daemon.json.j2
+docker_driver_network: slirp4netns
+docker_driver_port: builtin
 docker_release: 27.1.1
 docker_release_rootless_shasum: 31cffd0f0c84ead9a5b28c1ad0c8e56eb9ef352036099a1f6501315574d4f63e
 docker_release_shasum: 118da6b8fc8e8b6c086ab0dd5e64ee549376c3a3f963723bbc9a46db475bf21f
@@ -134,6 +136,17 @@ The `docker_allow_ping` variable configures if unprivileged users can open
 On some distributions, this is not allowed, and thereby containers cannot ping
 to the outside.
 
+The `docker_driver_network` and `docker_driver_port` variables configure RootlessKit's
+[network driver](https://github.com/rootless-containers/rootlesskit/blob/master/docs/network.md) or
+[port driver](https://github.com/rootless-containers/rootlesskit/blob/master/docs/port.md),
+respectively. This is useful for
+[optimising network performance](https://docs.docker.com/engine/security/rootless/#networking-errors)
+and necessary if
+[source IP propagation](https://docs.docker.com/engine/security/rootless/#docker-run--p-does-not-propagate-source-ip-addresses)
+is required. By default, the `builtin` port driver does not expose the actual source IP; instead,
+all connections appear to the container as originating from the Docker gateway (e.g. 172.19.0.1).
+Set `docker_driver_port: slirp4netns` to enable source IP propagation.
+
 The variables named `*_template` are the locations of the
 [templates](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/template_module.html)
 in use, this to make it easier to replace them with custom ones.

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -10,6 +10,8 @@ docker_compose_release: v2.29.1
 docker_compose_release_shasum: 5ea89dd65d33912a83737d8a4bf070d5de534a32b8493a21fbefc924484786a9
 docker_compose_url: https://github.com/docker/compose/releases/download
 docker_daemon_json_template: daemon.json.j2
+docker_driver_network: slirp4netns
+docker_driver_port: builtin
 docker_release: 27.1.1
 docker_release_rootless_shasum: 31cffd0f0c84ead9a5b28c1ad0c8e56eb9ef352036099a1f6501315574d4f63e
 docker_release_shasum: 118da6b8fc8e8b6c086ab0dd5e64ee549376c3a3f963723bbc9a46db475bf21f

diff --git a/tasks/docker_install_rootless.yml b/tasks/docker_install_rootless.yml
@@ -94,13 +94,3 @@
     dest: "{{ docker_user_info.home }}/.config/docker/daemon.json"
     backup: true
     mode: "0644"
-
-- name: Enable and start Docker (rootless installation)
-  become: true
-  become_user: "{{ docker_user }}"
-  ansible.builtin.systemd:
-    name: docker.service
-    enabled: true
-    state: started
-    scope: user
-    daemon_reload: true
diff --git a/tasks/docker_service.yml b/tasks/docker_service.yml
@@ -0,0 +1,34 @@
+---
+- name: Add Docker systemd service override.conf
+  become: true
+  become_user: "{{ docker_user }}"
+  ansible.builtin.lineinfile:
+    dest: "{{ docker_user_info.home }}/.config/systemd/user/docker.service.d/override.conf"
+    line: "[Service]"
+    create: true
+    mode: "0644"
+
+- name: Configure Docker network/port drivers
+  become: true
+  become_user: "{{ docker_user }}"
+  ansible.builtin.lineinfile:
+    dest: "{{ docker_user_info.home }}/.config/systemd/user/docker.service.d/override.conf"
+    insertafter: \[Service\]
+    firstmatch: true
+    regexp: ^Environment="{{ item.key }}=
+    line: Environment="{{ item.key }}={{ item.value }}"
+  loop:
+    - key: DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER
+      value: "{{ docker_driver_port }}"
+    - key: DOCKERD_ROOTLESS_ROOTLESSKIT_NET
+      value: "{{ docker_driver_network }}"
+
+- name: Enable and start Docker
+  become: true
+  become_user: "{{ docker_user }}"
+  ansible.builtin.systemd:
+    name: docker.service
+    enabled: true
+    state: started
+    scope: user
+    daemon_reload: true
diff --git a/tasks/docker_service_rootful.yml b/tasks/docker_service_rootful.yml
@@ -60,13 +60,3 @@
   failed_when: install_rootless_docker.rc != 0
   when:
     - not docker_rootless_sock.stat.exists
-
-- name: Enable and start Docker (rootful installation)
-  become: true
-  become_user: "{{ docker_user }}"
-  ansible.builtin.systemd:
-    name: docker.service
-    enabled: true
-    state: started
-    scope: user
-    daemon_reload: true
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -11,7 +11,7 @@
   tags:
     - always
 
-- name: Remove obselete Docker instruction file
+- name: Remove obsolete Docker instruction file
   ansible.builtin.file:
     path: "{{ ansible_env.HOME }}/ROOTLESS_DOCKER.README"
     state: absent
@@ -50,6 +50,13 @@
   tags:
     - docker_rootless
 
+- name: Configure Docker service
+  ansible.builtin.import_tasks:
+    file: docker_service.yml
+  tags:
+    - docker_rootful
+    - docker_rootless
+
 - name: Install Docker Compose
   ansible.builtin.import_tasks:
     file: docker_compose.yml