debops.docker default variables

Docker packages and installation

docker__distribution

The OS distribution which is used to select upstream APT repository.

docker__distribution: '{{ ansible_local.core.distribution
                          if (ansible_local|d() and ansible_local.core|d() and
                              ansible_local.core.distribution|d())
                          else ansible_distribution }}'
docker__distribution_release

The OS distribution relese which is used to select upstream APT repository.

docker__distribution_release: '{{ ansible_local.core.distribution_release
                                  if (ansible_local|d() and ansible_local.core|d() and
                                      ansible_local.core.distribution_release|d())
                                  else ansible_distribution_release }}'
docker__upstream

By default debops.docker installs Docker from the system distribution repositories. Here you can enable upstream repositories and install the upstream version of Docker. Note that switching from upstream to default on one host, may not always work. You may need to manually remove the upstream version and configuration.

docker__upstream: False
docker__upstream_key

APT GPG key id used to sign the upstream Docker packages.

docker__upstream_key: '58118E89F3A912897C070ADBF76221572C52609D'
docker__upstream_repository

Address of the Docker upstream APT repository.

docker__upstream_repository: 'deb https://apt.dockerproject.org/repo {{ docker__distribution | lower }}-{{ docker__distribution_release }} main'
docker__base_packages

List of base packages to install with Docker.

docker__base_packages: [ 'aufs-tools', 'python-pip', 'python-docker', 'python-setuptools', 'bridge-utils' ]
docker__packages

List of additional packages to install with Docker.

docker__packages: []
docker__admins

List of UNIX accounts which should be added to docker system group which has access to the Docker UNIX socket.

docker__admins: '{{ ansible_local.core.admin_users
                    if (ansible_local|d() and ansible_local.core|d() and
                        ansible_local.core.admin_users|d())
                    else [] }}'

Network configuration

docker__bridge

Name of the bridge to use instead of the autogenerated docker0 bridge. The bridge should already exist on the server.

docker__bridge: ''
docker__fixed_cidr

Fixed subnet in CIDR format to confine dynamically allocated IP addresses. Should be included in the IP address range set on the bridge.

docker__fixed_cidr: ''
docker__dns_nameserver

List of IP addresses of nameservers used by Docker. By default they are gathered by the debops.core role from the /etc/resolv.conf file of the remote host.

docker__dns_nameserver: '{{ ansible_local.resolver.nameserver
                            if (ansible_local|d() and ansible_local.resolver|d() and
                                ansible_local.resolver.nameserver|d())
                            else [] }}'

List of DNS search domains to use by Docker. By default they are gathered by the debops.core role from the /etc/resolv.conf file of the remote host.

docker__dns_search: '{{ ansible_local.resolver.search
                        if (ansible_local|d() and ansible_local.resolver|d() and
                            ansible_local.resolver.search|d())
                        else [] }}'

Remote Docker connection (TCP)

docker__tcp

Enable or disable listening for TLS connections on the TCP docker port. By default remote connections are enabled if the debops.pki role has been configured on remote host (access is controlled by the firewall).

docker__tcp: '{{ docker__pki | bool }}'
docker__tcp_bind

IP address of the interface to listen on for incoming connections (all interfaces by default).

docker__tcp_bind: '0.0.0.0'
docker__unencrypted_tcp_port

Port on which to listen for incoming unencrypted connections.

docker__unencrypted_tcp_port: '2375'
docker__tls_tcp_port

Port on which to listen for incoming TLS connections.

docker__tls_tcp_port: '2376'
docker__tcp_port

Port on which to listen for incoming TLS connections.

docker__tcp_port: '{{ docker__tls_tcp_port if (docker__pki|d() | bool) else docker__unencrypted_tcp_port }}'
docker__tcp_allow

List of IP addresses or subnets in CIDR format which are allowed to connect to the Docker daemon over TLS. If it's not specified, remote connections are denied by the firewall.

docker__tcp_allow: []
docker__tcp_listen

Default connection configured in addition to local socket connection, using TCP over TLS.

docker__tcp_listen: '{{ ("tcp://" + docker__tcp_bind + ":" + docker__tcp_port)
                         if (docker__tcp|d() | bool) else "" }}'
docker__custom_ports

List of additional TCP/UDP ports to allow in the firewall, useful for other Docker-related services, like Swarm, Consul.

docker__custom_ports: []

Docker configuration options

docker__env_http_proxy

Http Proxy settings for the docker daemon

docker__env_http_proxy: '{{ ansible_env.http_proxy | d() }}'
docker__env_https_proxy

Https Proxy settings for the docker daemon

docker__env_https_proxy: '{{ ansible_env.https_proxy | d() }}'
docker__env_no_proxy

No Proxy settings for the docker daemon

docker__env_no_proxy: '{{ ansible_env.no_proxy | d() }}'
docker__listen

List of host connections configured in the Docker daemon (--host parameter).

docker__listen:
  - '{{ "fd://" if ansible_service_mgr == "systemd" else "unix:///var/run/docker.sock" }}'
  - '{{ docker__tcp_listen }}'
docker__labels

Dictionary with labels configured on the Docker daemon, each key is the label name and value is the label attribute. Examples:

1
2
3
docker__labels:
  'com.example.environment': 'production'
  'com.example.storage':     'extfs'
docker__labels: {}
docker__debug

Start docker daemon in debug mode.

docker__debug: False
docker__live_restore

Enables keeping containers alive during daemon downtime. Only supported from docker version 1.12 and above.

docker__live_restore: False
docker__graph

Alternative root path of the docker runtime.

docker__graph: '/var/lib/docker'
docker__registry_mirrors

List of registry mirrors.

docker__registry_mirrors: []
docker__storage_driver

Storage driver for docker volumes.

docker__storage_driver: 'overlay'
docker__storage_options

Additional docker storage driver options.

docker__storage_options: {}
docker__custom_daemon_options

Allows passing of arbitrary/unsupported configuration options to 'daemon.json'.

docker__custom_daemon_options: {}
docker__options

List of additional options passed to docker daemon. Examples:

1
2
3
docker__options:
  - '--icc=false'
  - '--insecure-registry=10.1.0.0/16'
docker__options: []

PKI and certificates

docker__pki

Enable or disable support for PKI certificates managed by debops.pki.

docker__pki: '{{ (True
                  if (ansible_local|d() and ansible_local.pki|d() and
                      ansible_local.pki.enabled|d() | bool)
                  else False) | bool }}'
docker__pki_path

Directory where PKI files are located on the remote host.

docker__pki_path: '{{ ansible_local.pki.base_path
                      if (ansible_local|d() and ansible_local.pki|d() and
                          ansible_local.pki.base_path|d())
                      else "/etc/pki" }}'
docker__pki_realm

Name of the PKI realm used by Docker.

docker__pki_realm: '{{ ansible_local.pki.realm
                       if (ansible_local|d() and ansible_local.pki|d() and
                           ansible_local.pki.realm|d())
                       else "system" }}'
docker__pki_ca

Name of the Root CA certificate file used by Docker.

docker__pki_ca: 'CA.crt'
docker__pki_crt

Name of the host certificate used by Docker.

docker__pki_crt: 'default.crt'
docker__pki_key

Name of the private key file used by Docker.

docker__pki_key: 'default.key'

Firewall and ferment support

docker__ferm_post_hook

Enable or disable installation for the ferm post hook when ferment is disabled.

docker__ferm_post_hook: '{{ True
                            if (ansible_local|d() and ansible_local.ferm|d() and
                                docker__ferment|bool) else False }}'
docker__ferment

Enable or disable support for ferment script, which can generate ferm configuration with the current Docker state.

docker__ferment: True
docker__ferment_pip_package

Packages to install ferment from PyPI using the pip command.

docker__ferment_pip_package: 'ferment'
docker__ferment_wrapper

Path to the ferment wrapper script used to generate ferm configuration.

docker__ferment_wrapper: '{{ (ansible_local.root.lib
                              if (ansible_local|d() and ansible_local.root|d() and
                                  ansible_local.root.lib|d())
                              else "/usr/local/lib") + "/docker-ferment-wrapper" }}'

Configuration of other Ansible roles

docker__etc_services__dependent_list

Configuration for debops.etc_services role which registers port numbers for Docker REST API.

docker__etc_services__dependent_list:

  - name: 'docker'
    port: '{{ docker__unencrypted_tcp_port }}'
    comment: 'Docker REST API (plain text)'

  - name: 'docker-s'
    port: '{{ docker__tls_tcp_port }}'
    comment: 'Docker REST API (SSL)'
docker__ferm__dependent_rules

Configuration for debops.ferm role which enables support for ferment script and opens access to the Docker REST API in the firewall.

docker__ferm__dependent_rules:

  - type: 'custom'
    weight: '99'
    role: 'docker'
    name: 'ferment_rules'
    rules: |
      @def $DOCKER_FERMENT = `test -x {{ docker__ferment_wrapper }} && echo 1 || echo 0`;
      @if $DOCKER_FERMENT {
          @include '{{ docker__ferment_wrapper + (" " + docker__bridge if docker__bridge else "") }}|';
      }

  - type: 'accept'
    dport: '{{ [ docker__tcp_port ] + docker__custom_ports }}'
    protocol: [ 'tcp', 'udp' ]
    saddr: '{{ docker__tcp_allow }}'
    accept_any: False
    weight: '50'
    role: 'docker'
    name: 'service_rules'