Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added support to expose docker-api via tcp #348

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 6 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,4 @@
.yamllint
drafts/*
hosts
.vscode/settings.json
5 changes: 5 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ docker_compose: false
docker_compose_release: 2.26.0
docker_compose_release_shasum: 59c6b262bedc4a02f46c8400e830e660935684899c770c3f5e804a2b7079fc16
docker_daemon_json_template: daemon.json.j2
docker_expose_docker_api_via_tcp: false
docker_release: 26.1.0
docker_release_rootless_shasum: c40ce28994ae8c481eac796f25da587a4cdf1711c279abc9b9472ffca01d5d9e
docker_release_shasum: ab46df00fbf4d218a8694da06f9c171760b6cad875924ed251a3a9d57a7180bf
Expand Down Expand Up @@ -133,6 +134,10 @@ The most important template is most likely
`docker_daemon_json_template: daemon.json.j2`, which is the location of the
Docker `daemon.json` configuration file template.

If `docker_expose_docker_api_via_tcp: true` then the docker daemon will expose its API via tcp. This is insecure, please check the [official docs](https://docs.docker.com/config/daemon/remote-access/) and ensure you understand the implications before activating this.

Exposing the Docker API securely by using TLS is currently not supported via Ansible variable. You will need to edit the [template/docker_rootless.service.j2](https://github.com/konstruktoid/ansible-role-docker-rootless/blob/main/templates/docker_rootless.service.j2) file yourself or provide your own template using the `docker_rootless_service_template` variable. In general you'll need to change the `DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS` and `tcp_connection_str` within the template to use port `:2376` and include the necessary `--tlsverify`, `--tlscacert`, `--tlscert` and `--tlskey` parameters. Check the [official Docker docs](https://docs.docker.com/engine/security/rootless/#expose-docker-api-socket-through-tcp) for more info about that.

## Container management

### Standalone container
Expand Down
1 change: 1 addition & 0 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ docker_compose: false
docker_compose_release: 2.26.0
docker_compose_release_shasum: 59c6b262bedc4a02f46c8400e830e660935684899c770c3f5e804a2b7079fc16
docker_daemon_json_template: daemon.json.j2
docker_expose_docker_api_via_tcp: false
docker_release: 26.1.0
docker_release_rootless_shasum: c40ce28994ae8c481eac796f25da587a4cdf1711c279abc9b9472ffca01d5d9e
docker_release_shasum: ab46df00fbf4d218a8694da06f9c171760b6cad875924ed251a3a9d57a7180bf
Expand Down
2 changes: 2 additions & 0 deletions molecule/default/molecule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ provisioner:
docker_user: dockeruser
docker_user_bashrc: false
docker_compose: true
docker_expose_docker_api_via_tcp: true
monsdar marked this conversation as resolved.
Show resolved Hide resolved
focal:
docker_add_alias: true
docker_allow_ping: false
Expand All @@ -65,6 +66,7 @@ provisioner:
docker_user: dockeruser
docker_user_bashrc: false
docker_compose: false
docker_expose_docker_api_via_tcp: true
jammy:
docker_add_alias: false
docker_allow_ping: false
Expand Down
17 changes: 13 additions & 4 deletions templates/docker_rootless.service.j2
Original file line number Diff line number Diff line change
@@ -1,6 +1,12 @@
# {{ ansible_managed }}
# Generated by Ansible role {{ ansible_role_name }}

{# Set the external connection str if docker_expose_docker_api_via_tcp is wanted #}
monsdar marked this conversation as resolved.
Show resolved Hide resolved
{% set tcp_connection_str = '' %}
{% if docker_expose_docker_api_via_tcp %}
{% set tcp_connection_str = '-H tcp://0.0.0.0:2375 -H unix://${XDG_RUNTIME_DIR}/docker.sock' %}
{% endif %}

[Unit]
Description=Docker Application Container Engine (Rootless)
Documentation=https://docs.docker.com/engine/security/rootless/
Expand All @@ -9,18 +15,21 @@ Documentation=https://docs.docker.com/engine/security/rootless/
Environment="DOCKER_HOST=unix:///run/user/{{ docker_user_info.uid }}/docker.sock"
Environment="PATH={{ docker_user_info.home }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Environment="XDG_RUNTIME_DIR=/run/user/{{ docker_user_info.uid }}"
{% if docker_expose_docker_api_via_tcp %}
Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS=-p 0.0.0.0:2375:2375/tcp"
{% endif %}
{% if not docker_rootful %}
{% if ansible_distribution == "Debian" and ansible_kernel >= "4.18" and ansible_kernel <= "5.11" %}
ExecStart={{ docker_user_info.home }}/bin/dockerd-rootless.sh -s fuse-overlayfs
ExecStart={{ docker_user_info.home }}/bin/dockerd-rootless.sh {{ tcp_connection_str }} -s fuse-overlayfs
{% else %}
ExecStart={{ docker_user_info.home }}/bin/dockerd-rootless.sh
ExecStart={{ docker_user_info.home }}/bin/dockerd-rootless.sh {{ tcp_connection_str }}
{% endif %}
{% endif %}
{% if docker_rootful %}
{% if ansible_distribution == "Debian" and ansible_kernel >= "4.18" and ansible_kernel <= "5.11" %}
ExecStart=/usr/bin/dockerd-rootless.sh -s fuse-overlayfs
ExecStart=/usr/bin/dockerd-rootless.sh {{ tcp_connection_str }} -s fuse-overlayfs
konstruktoid marked this conversation as resolved.
Show resolved Hide resolved
{% else %}
ExecStart=/usr/bin/dockerd-rootless.sh
ExecStart=/usr/bin/dockerd-rootless.sh {{ tcp_connection_str }}
{% endif %}
{% endif %}
ExecReload=/bin/kill -s HUP $MAINPID
Expand Down