Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added support to expose docker-api via tcp #348

Open
wants to merge 9 commits into
base: main
Choose a base branch
from

Conversation

monsdar
Copy link

@monsdar monsdar commented Apr 25, 2024

Added a var that enables to exposure of the docker API via TCP

Issue #344

@monsdar monsdar requested a review from konstruktoid as a code owner April 25, 2024 07:27
@konstruktoid
Copy link
Owner

This will only add an option regarding the unsafe tcp, I think it would be more proper to update the documentation on how to enable it.

Otherwise, we'll soon see an issue regarding tls support.

@monsdar
Copy link
Author

monsdar commented Apr 25, 2024

I think it would be more proper to update the documentation on how to enable it.

With "it" you mean adding to the Readme how to enable secure TLS as well?

Regarding adding it to the role: I do not have an environment available to test this out, but I can add the right vars if that helps...

@konstruktoid
Copy link
Owner

Yeah, a short guide how to change the template and using the template path variable to enable tcp://.
No need to show how to generate certificate and such, just point to the official documentation.

@monsdar
Copy link
Author

monsdar commented Apr 25, 2024

Done, let me know if this is enough info for someone to get the right idea

@konstruktoid
Copy link
Owner

molecule/default/molecule.yml Outdated Show resolved Hide resolved
templates/docker_rootless.service.j2 Show resolved Hide resolved
@konstruktoid
Copy link
Owner

Basic test.

diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
index d5241a1..7d10b7a 100644
--- a/molecule/default/verify.yml
+++ b/molecule/default/verify.yml
@@ -88,6 +88,8 @@
           register: ps_dockerd
           changed_when: docker_user[:7] not in ps_dockerd.stdout
           failed_when: docker_user[:7] not in ps_dockerd.stdout
+          when:
+            - not docker_expose_docker_api_via_tcp
 
         - name: Verify docker_rootless.sh
           ansible.builtin.stat:
@@ -178,6 +180,20 @@
         delay: 10
         timeout: 120
 
+    - name: Verify tcp exposure
+      become: true
+      ansible.builtin.shell:
+        cmd: |
+          set -o pipefail
+          ss -ltnp | grep '\:2375.*rootlesskit'
+      args:
+        executable: /bin/bash
+      register: tcp_exposure
+      changed_when: false
+      failed_when: tcp_exposure.rc != 0
+      when:
+        - docker_expose_docker_api_via_tcp
+
     - name: Ensure no docker-compose.yml exists
       become: true
       become_user: "{{ docker_user }}"

@monsdar
Copy link
Author

monsdar commented Apr 26, 2024

All done 👍

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this will actually add the configuration to the Docker daemon running as root, what you need to do is add the service file to the docker_user, see https://github.com/konstruktoid/ansible-role-docker-rootless/blob/main/tasks/docker_install_rootless.yml#L80-L87

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I don't get what's the request :/

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

your PR works when running in rootless mode, but in order for it to work in rootles, you'll need to add the user service file to the rootful installastion. https://github.com/konstruktoid/ansible-role-docker-rootless/blob/main/tasks/docker_install_rootless.yml#L80-L87 -> https://github.com/konstruktoid/ansible-role-docker-rootless/blob/main/tasks/docker_install_rootful.yml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants