Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added support to expose docker-api via tcp #348

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Added support to expose docker-api via tcp #348

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
ed61111
Added support to expose docker-api via tcp
Apr 25, 2024
1d8ef1f
Added additional docs
Apr 25, 2024
f90478a
Missing dashes
Apr 25, 2024
9acf67a
Extended the molecule vars
Apr 26, 2024
40bf09a
Extended the .gitignore to not include any .vscode user-specific files
Apr 26, 2024
52935a8
Removed some of the vars from molecule platforms
Apr 26, 2024
59e184b
Added tcp-parameter to rootful services as well
Apr 26, 2024
405f2b4
Changed parameters so we test rootful/rootless target platforms
Apr 26, 2024
fe0273a
Added basic test
Apr 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,4 @@
.yamllint
drafts/*
hosts
.vscode/settings.json
5 changes: 5 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ docker_compose: false
docker_compose_release: 2.26.0
docker_compose_release_shasum: 59c6b262bedc4a02f46c8400e830e660935684899c770c3f5e804a2b7079fc16
docker_daemon_json_template: daemon.json.j2
docker_expose_docker_api_via_tcp: false
docker_release: 26.1.0
docker_release_rootless_shasum: c40ce28994ae8c481eac796f25da587a4cdf1711c279abc9b9472ffca01d5d9e
docker_release_shasum: ab46df00fbf4d218a8694da06f9c171760b6cad875924ed251a3a9d57a7180bf
Expand Down Expand Up @@ -133,6 +134,10 @@ The most important template is most likely
`docker_daemon_json_template: daemon.json.j2`, which is the location of the
Docker `daemon.json` configuration file template.

If `docker_expose_docker_api_via_tcp: true` then the docker daemon will expose its API via tcp. This is insecure, please check the [official docs](https://docs.docker.com/config/daemon/remote-access/) and ensure you understand the implications before activating this.

Exposing the Docker API securely by using TLS is currently not supported via Ansible variable. You will need to edit the [template/docker_rootless.service.j2](https://github.com/konstruktoid/ansible-role-docker-rootless/blob/main/templates/docker_rootless.service.j2) file yourself or provide your own template using the `docker_rootless_service_template` variable. In general you'll need to change the `DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS` and `tcp_connection_str` within the template to use port `:2376` and include the necessary `--tlsverify`, `--tlscacert`, `--tlscert` and `--tlskey` parameters. Check the [official Docker docs](https://docs.docker.com/engine/security/rootless/#expose-docker-api-socket-through-tcp) for more info about that.

## Container management

### Standalone container
Expand Down
1 change: 1 addition & 0 deletions defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ docker_compose: false
docker_compose_release: 2.26.0
docker_compose_release_shasum: 59c6b262bedc4a02f46c8400e830e660935684899c770c3f5e804a2b7079fc16
docker_daemon_json_template: daemon.json.j2
docker_expose_docker_api_via_tcp: false
docker_release: 26.1.0
docker_release_rootless_shasum: c40ce28994ae8c481eac796f25da587a4cdf1711c279abc9b9472ffca01d5d9e
docker_release_shasum: ab46df00fbf4d218a8694da06f9c171760b6cad875924ed251a3a9d57a7180bf
Expand Down
2 changes: 2 additions & 0 deletions molecule/default/molecule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ provisioner:
docker_user: bookwormuser
docker_user_bashrc: false
docker_compose: false
docker_expose_docker_api_via_tcp: true
almalinux8:
docker_add_alias: false
docker_allow_ping: false
Expand Down Expand Up @@ -65,6 +66,7 @@ provisioner:
docker_user: dockeruser
docker_user_bashrc: false
docker_compose: false
docker_expose_docker_api_via_tcp: true
jammy:
docker_add_alias: false
docker_allow_ping: false
Expand Down
16 changes: 16 additions & 0 deletions molecule/default/verify.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,8 @@
register: ps_dockerd
changed_when: docker_user[:7] not in ps_dockerd.stdout
failed_when: docker_user[:7] not in ps_dockerd.stdout
when:
- not docker_expose_docker_api_via_tcp

- name: Verify docker_rootless.sh
ansible.builtin.stat:
Expand Down Expand Up @@ -178,6 +180,20 @@
delay: 10
timeout: 120

- name: Verify tcp exposure
become: true
ansible.builtin.shell:
cmd: |
set -o pipefail
ss -ltnp | grep '\:2375.*rootlesskit'
args:
executable: /bin/bash
register: tcp_exposure
changed_when: false
failed_when: tcp_exposure.rc != 0
when:
- docker_expose_docker_api_via_tcp

- name: Ensure no docker-compose.yml exists
become: true
become_user: "{{ docker_user }}"
Expand Down
8 changes: 7 additions & 1 deletion templates/docker_rootful.service.j2
View file
Open in desktop
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this will actually add the configuration to the Docker daemon running as root, what you need to do is add the service file to the docker_user, see https://github.com/konstruktoid/ansible-role-docker-rootless/blob/main/tasks/docker_install_rootless.yml#L80-L87

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I don't get what's the request :/

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

your PR works when running in rootless mode, but in order for it to work in rootles, you'll need to add the user service file to the rootful installastion. https://github.com/konstruktoid/ansible-role-docker-rootless/blob/main/tasks/docker_install_rootless.yml#L80-L87 -> https://github.com/konstruktoid/ansible-role-docker-rootless/blob/main/tasks/docker_install_rootful.yml

Original file line number Diff line number Diff line change
@@ -1,6 +1,12 @@
# {{ ansible_managed }}
# Generated by Ansible role {{ ansible_role_name }}

{# Set the external connection str if docker_expose_docker_api_via_tcp is wanted #}
{% set tcp_connection_str = '' %}
{% if docker_expose_docker_api_via_tcp %}
{% set tcp_connection_str = '-H tcp://0.0.0.0:2375' %}
{% endif %}

[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
Expand All @@ -10,7 +16,7 @@ Requires=docker.socket

[Service]
Type=notify
ExecStart=/usr/bin/dockerd {{ docker_rootful_opts if docker_rootful_opts else '-H fd:// --containerd=/run/containerd/containerd.sock' }}
ExecStart=/usr/bin/dockerd {{ tcp_connection_str }} {{ docker_rootful_opts if docker_rootful_opts else '-H fd:// --containerd=/run/containerd/containerd.sock' }}
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Expand Down
17 changes: 13 additions & 4 deletions templates/docker_rootless.service.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,12 @@
# {{ ansible_managed }}
# Generated by Ansible role {{ ansible_role_name }}

{# Set the external connection str if docker_expose_docker_api_via_tcp is wanted #}
monsdar marked this conversation as resolved.
Show resolved Hide resolved
{% set tcp_connection_str = '' %}
{% if docker_expose_docker_api_via_tcp %}
{% set tcp_connection_str = '-H tcp://0.0.0.0:2375 -H unix://${XDG_RUNTIME_DIR}/docker.sock' %}
{% endif %}

[Unit]
Description=Docker Application Container Engine (Rootless)
Documentation=https://docs.docker.com/engine/security/rootless/
Expand All @@ -9,18 +15,21 @@ Documentation=https://docs.docker.com/engine/security/rootless/
Environment="DOCKER_HOST=unix:///run/user/{{ docker_user_info.uid }}/docker.sock"
Environment="PATH={{ docker_user_info.home }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Environment="XDG_RUNTIME_DIR=/run/user/{{ docker_user_info.uid }}"
{% if docker_expose_docker_api_via_tcp %}
Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS=-p 0.0.0.0:2375:2375/tcp"
{% endif %}
{% if not docker_rootful %}
{% if ansible_distribution == "Debian" and ansible_kernel >= "4.18" and ansible_kernel <= "5.11" %}
ExecStart={{ docker_user_info.home }}/bin/dockerd-rootless.sh -s fuse-overlayfs
ExecStart={{ docker_user_info.home }}/bin/dockerd-rootless.sh {{ tcp_connection_str }} -s fuse-overlayfs
{% else %}
ExecStart={{ docker_user_info.home }}/bin/dockerd-rootless.sh
ExecStart={{ docker_user_info.home }}/bin/dockerd-rootless.sh {{ tcp_connection_str }}
{% endif %}
{% endif %}
{% if docker_rootful %}
{% if ansible_distribution == "Debian" and ansible_kernel >= "4.18" and ansible_kernel <= "5.11" %}
ExecStart=/usr/bin/dockerd-rootless.sh -s fuse-overlayfs
ExecStart=/usr/bin/dockerd-rootless.sh {{ tcp_connection_str }} -s fuse-overlayfs
konstruktoid marked this conversation as resolved.
Show resolved Hide resolved
{% else %}
ExecStart=/usr/bin/dockerd-rootless.sh
ExecStart=/usr/bin/dockerd-rootless.sh {{ tcp_connection_str }}
{% endif %}
{% endif %}
ExecReload=/bin/kill -s HUP $MAINPID
Expand Down