Default variables

Docker packages and installation

docker_upstream

By default debops.docker installs Docker from the system distribution repositories. Here you can enable upstream repositories and install the upstream version of Docker.

docker_upstream: False
docker_upstream_key

APT GPG key id used to sign the upstream Docker packages.

docker_upstream_key: '58118E89F3A912897C070ADBF76221572C52609D'
docker_upstream_repository

Address of the Docker upstream APT repository.

docker_upstream_repository: 'deb https://apt.dockerproject.org/repo {{ ansible_distribution | lower }}-{{ ansible_distribution_release }} main'
docker_base_packages

List of base packages to install with Docker.

docker_base_packages: [ 'aufs-tools', 'python-docker' ]
docker_packages

List of additional packages to install with Docker.

docker_packages: []
docker_admins

List of UNIX accounts which should be added to docker system group which has access to the Docker UNIX socket.

docker_admins: [ '{{ (ansible_ssh_user
                      if (ansible_ssh_user | bool and
                          ansible_ssh_user != "root")
                      else lookup("env", "USER")) }}' ]

Network configuration

docker_bridge

Name of the bridge to use instead of the autogenerated docker0 bridge.

docker_bridge: ''
docker_fixed_cirt

Fixed subnet in CIDR format to confine dynamically allocated IP addresses. Should be included in the IP address range set on the bridge.

docker_fixed_cidr: ''
docker_dns_nameserver

List of IP addresses of nameservers used by Docker. By default they are gathered by the debops.core role from the /etc/resolv.conf file of the remote host.

docker_dns_nameserver: '{{ ansible_local.resolver.nameserver
                           if (ansible_local|d() and ansible_local.resolver|d() and
                               ansible_local.resolver.nameserver|d())
                           else [] }}'

List of DNS search domains to use by Docker. By default they are gathered by the debops.core role from the /etc/resolv.conf file of the remote host.

docker_dns_search: '{{ ansible_local.resolver.search
                       if (ansible_local|d() and ansible_local.resolver|d() and
                           ansible_local.resolver.search|d())
                       else [] }}'

Remote Docker connection (TCP)

docker_tcp

Enable or disable listening for TLS connections on the TCP docker port. By default remote connections are enabled if the debops.pki role has been configured on remote host (access is controlled by the firewall).

docker_tcp: '{{ docker_pki | bool }}'
docker_tcp_bind

IP address of the interface to listen on for incoming connections (all interfaces by default).

docker_tcp_bind: '0.0.0.0'
docker_tcp_port

Port on which to listen for incoming TLS connections.

docker_tcp_port: '2375'
docker_tcp_allow

List of IP addresses or subnets in CIDR format which are allowed to connect to the Docker daemon over TLS. If it’s not specified, remote connections are denied by the firewall.

docker_tcp_allow: []
docker_tcp_listen

Default connection configured in addition to local socket connection, using TCP over TLS.

docker_tcp_listen: '{{ ("tcp://" + docker_tcp_bind + ":" + docker_tcp_port)
                        if (docker_tcp|d() | bool) else "" }}'
docker_custom_ports

List of additional TCP/UDP ports to allow in the firewall, useful for other Docker-related services, like Swarm, Consul.

docker_custom_ports: []

Docker configuration options

docker_listen

List of host connections configured in the Docker daemon (--host parameter).

docker_listen: [ '{{ docker_tcp_listen }}' ]
docker_labels

Dictionary with labels configured on the Docker daemon, each key is the label name and value is the label attribute. Examples:

docker_labels:
  'com.example.environment': 'production'
  'com.example.storage':     'extfs'
docker_labels: {}
docker_options

List of additional options passed to docker daemon. Examples:

docker_options:
  - '--icc=false'
  - '--debug=true'
docker_options: []

PKI and certificates

docker_pki

Enable or disable support for PKI certificates managed by debops.pki.

docker_pki: '{{ (True
                 if (ansible_local|d() and ansible_local.pki|d() and
                     ansible_local.pki.enabled|d() | bool)
                 else False) | bool }}'
docker_pki_path

Directory where PKI files are located on the remote host.

docker_pki_path: '{{ ansible_local.pki.base_path
                     if (ansible_local|d() and ansible_local.pki|d() and
                         ansible_local.pki.base_path|d())
                     else "/etc/pki" }}'
docker_pki_realm

Name of the PKI realm used by Docker.

docker_pki_realm: '{{ ansible_local.pki.realm
                      if (ansible_local|d() and ansible_local.pki|d() and
                          ansible_local.pki.realm|d())
                      else "system" }}'
docker_pki_ca

Name of the Root CA certificate file used by Docker.

docker_pki_ca: 'CA.crt'
docker_pki_crt

Name of the host certificate used by Docker.

docker_pki_crt: 'default.crt'
docker_pki_key

Name of the private key file used by Docker.

docker_pki_key: 'default.key'

Firewall and ferment support

docker_ferment

Enable or disable support for ferment script, which can generate ferm configuration with the current Docker state.

docker_ferment: True
docker_ferment_wrapper

Path to the ferment wrapper script used to generate ferm configuration.

docker_ferment_wrapper: '{{ (ansible_local.root.lib
                             if (ansible_local|d() and ansible_local.root|d() and
                                 ansible_local.root.lib|d())
                             else "/usr/local/lib") + "/docker-ferment-wrapper" }}'

Configuration of other Ansible roles

docker_etc_services_dependent_list

Configuration for debops.etc_services role which registers port numbers for Docker REST API.

docker_etc_services_dependent_list:

  - name: 'docker'
    port: '2375'
    comment: 'Docker REST API (plain text)'

  - name: 'docker-s'
    port: '2376'
    comment: 'Docker REST API (SSL)'
docker_ferm_dependent_rules

Configuration for debops.ferm role which enables support for ferment script and opens access to the Docker REST API in the firewall.

docker_ferm_dependent_rules:

  - type: 'custom'
    weight: '99'
    role: 'docker'
    name: 'ferment_rules'
    rules: |
      @def $DOCKER_FERMENT = `test -x {{ docker_ferment_wrapper }} && echo 1 || echo 0`;
      @if $DOCKER_FERMENT {
          @include '{{ docker_ferment_wrapper + (" " + docker_bridge if docker_bridge else "") }}|';
      }

  - type: 'accept'
    dport: '{{ [ docker_tcp_port ] + docker_custom_ports }}'
    protocol: [ 'tcp', 'udp' ]
    saddr: '{{ docker_tcp_allow }}'
    accept_any: False
    weight: '50'
    role: 'docker'
    name: 'service_rules'