-
Installs Docker Community Edition (CE) on CentOS 7
-
Pre-configured with user namespaces for increased security.
- NOTE: reboot is required to activate kernel changes.
- After user namespaces are enabled, host bind mounts will no longer work
- Containers will be unable to bind to Docker engine on local UNIX socket; specifically affects managment tools like Portainer; workaround is to configure Docker engine with TLS
-
Generates TLS certificates and secures Docker engine:
- Requires Galaxy role easypath.generate-tls-certs
- Configures Docker client to connect using TLS by default, otherwise need to specify TLS cert and key everytime running
dockercommand; configured per profile and requires client certificate, see here for more info) - After configuring TLS, no longer need to prefix
dockercommands withsudo
-
Docker engine binds new containers to localhost by default if no IP is specified
-
Configures Docker Swarm-related firewalld rules
- See
defaults/main.yml
- hosts: all vars_prompt: - name: "generate_tls_certs" prompt: "> Generate TLS certificates and keys? WARNING: re-running this will overwrite any existing certs and keys!" private: no default: false - name: "config_tls" prompt: "> Configure Docker engine for TLS?" private: no default: false - name: "config_swarm_fw" prompt: "> Configure firewall rules for Docker Swarm?" private: no default: true - name: "reboot_server" prompt: "> Reboot server after setup? Required to activate kernel changes." private: no default: false tasks: - name: Install Docker import_role: name: docker-host - name: Reboot server (required to activate kernel changes) command: reboot become: yes when: reboot_server|bool BSD