Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/justin-p/ansible-role-bootstrap_docker
A Ansible role I build for quickly configuring and hardening docker on a new VM.
https://github.com/justin-p/ansible-role-bootstrap_docker
ansible ansible-galaxy ansible-role bootstrap docker hacktoberfest
Last synced: 25 days ago
JSON representation
A Ansible role I build for quickly configuring and hardening docker on a new VM.
- Host: GitHub
- URL: https://github.com/justin-p/ansible-role-bootstrap_docker
- Owner: justin-p
- License: mit
- Created: 2020-06-08T20:11:41.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2024-03-19T20:04:13.000Z (8 months ago)
- Last Synced: 2024-03-19T21:27:50.727Z (8 months ago)
- Topics: ansible, ansible-galaxy, ansible-role, bootstrap, docker, hacktoberfest
- Language: Jinja
- Homepage:
- Size: 47.9 KB
- Stars: 2
- Watchers: 2
- Forks: 1
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# ansible-role-bootstrap_docker
[](https://galaxy.ansible.com/justin_p/bootstrap_docker)
[](https://github.com/justin-p/ansible-role-bootstrap_docker/actions)
A Ansible role I build for quickly configuring docker and apply hardening (to my personal standards).
**I do not recommend** you use this on a existing infrastructure.
**Note:** If you where to use this role you probably don't want to use the default password/salt values. Overwrite these in each project with unique values and store them securely with Ansible Vault.
## Balancing hardening and usability
### UFW and Docker
Docker normally ignores rules created by UFW. This has been a known issue for sometime now. Since I really prefer using UFW to manage my host based firewall this role configures docker and iptables to work nicely with UFW. It does this by utilizing the docker userland-proxy, iptables-persistent and ufw routes. By default the role will add a route that allows docker0 to send traffic out on `{{ ansible_default_ipv4.interface }}`. This will make docker networking and UFW behave just like any other portbinding from a end user perspective. I did not come up with this workaround fully by myself. This is heavily based of the work done by [Mateusz](https://www.mkubaczyk.com/2017/09/05/force-docker-not-bypass-ufw-rules-ubuntu-16-04/), though improved upon by using more granular routes and iptables-persistent so that the needed nat rule('s) aren't lost during a reboot.
### Docker Socket
After enabeling `userns-remap` you are no longer able to mount the docker sock in side of a container. To solve this we create a copy of the socket with socat under the following path `/var/run/docker-userns.sock`. This copy gives the root account and dockerremap group read and write on the copied docker socket.
I'd recommend not using this copy directly in target containers (i.e. traefik), but using it in combination with [Docker Socket Proxy](https://github.com/Tecnativa/docker-socket-proxy). This ensures only the bare minumium of what you need is available on the socket in the target container.
## Role Variables
| Variable | Description | Default value |
| :------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------- | :----------------------------------------------------- |
| bsd_sshkey_folder | Local folder where the ssh keypair for bsh_docker_public_key_path is stored. | ~/.ssh |
| bsd_docker_gid | The group id of the newly created docker user. | 1337 |
| bsd_docker_uid | The user id of the newly created docker user. | 1337 |
| bsd_docker_password | The password of the docker user. | 123c2b9e024723391cf60279c5eb84e4! |
| bsd_docker_password_salt | The password salt of the docker user. | f92dbbf8d7f268ba |
| bsd_docker_public_key_path | The path to the local public key that should be added to the admin user. | {{ bsd_sshkey_folder }}/id_rsa.pub |
| bsd_docker_volume_path | The path to a newly formated disk to mount `/var/lib/docker` on. Note, if a invalid path is supplied no mount action takes place. | /dev/disk/by-id/scsi-0DO_Volume_volume |
| bsd_docker_remap_socket_template | The template file for the docker remap socket. | {{ role_path }}/templates/dockerremapsocket.service.j2 |
| bsd_docker_deamon_template | The template for the docker daemon. | {{ role_path }}/templates/daemon.json.j2 |
| bsd_docker_iptables_template | The template for the iptables persistant file. | {{ role_path }}/templates/rules.v4.j2 |
| bsd_docker_interface_out | The interface to allow outbound routes to coming from the docker0 interface. | {{ ansible_default_ipv4.interface }} |
## Dependencies
[robertdebock.bootstrap](https://github.com/robertdebock/ansible-role-bootstrap)
[robertdebock.epel](https://github.com/robertdebock/ansible-role-epel)
[robertdebock.buildtools](https://github.com/robertdebock/ansible-role-buildtools)
[robertdebock.python_pip](https://github.com/robertdebock/ansible-role-python_pip)
[robertdebock.core_dependencies](https://github.com/robertdebock/ansible-role-core_dependencies)
[robertdebock.docker_ce](https://github.com/robertdebock/ansible-role-docker_ce)
[robertdebock.docker_compose](https://github.com/robertdebock/ansible-role-docker_compose)
## Example Playbook
```yaml
---
- hosts: all
name: Bootstrap docker
tasks:
- include_role:
name: bootstrap-docker
vars:
bsd_docker_username: "{{ docker_username }}"
bsd_docker_password: "{{ docker_password }}"
bsd_docker_password_salt: "{{ docker_password_salt }}"
bsd_docker_public_key_path: "{{ docker_public_key_path }}"
bsd_docker_volume_path: "/dev/disk/by-id/scsi-0DO_Volume_{{ do_docker_volume_name }}"
```
## License
MIT
## Author Information
- Justin Perdok ([@justin-p](https://github.com/justin-p/))
## Contributing
Feel free to open issues, contribute and submit your Pull Requests. You can also ping me on Twitter ([@JustinPerdok](https://twitter.com/JustinPerdok)).