Feature Request:

Add a variable docker_apt_filename to control apt repository filename. Default to ansible apt_repository default's (https://docs.ansible.com/ansible/2.6/modules/apt_repository_module.html)

Issues on ansible is

Error: Package: docker-ce-18.03.0.ce-1.el7.centos.x86_64 (docker-ce-stable)\n Requires: container-selinux >= 2.9\n

Can be easily reproduced on the server doing

yum install docker-ce
Loaded plugins: product-id, search-disabled-repos, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package docker-ce.x86_64 0:18.03.0.ce-1.el7.centos will be installed
--> Processing Dependency: container-selinux >= 2.9 for package: docker-ce-18.03.0.ce-1.el7.centos.x86_64
--> Processing Dependency: pigz for package: docker-ce-18.03.0.ce-1.el7.centos.x86_64
--> Running transaction check
---> Package docker-ce.x86_64 0:18.03.0.ce-1.el7.centos will be installed
--> Processing Dependency: container-selinux >= 2.9 for package: docker-ce-18.03.0.ce-1.el7.centos.x86_64
---> Package pigz.x86_64 0:2.3.4-1.el7 will be installed
--> Finished Dependency Resolution
Error: Package: docker-ce-18.03.0.ce-1.el7.centos.x86_64 (docker-ce-stable)
           Requires: container-selinux >= 2.9
**********************************************************************
yum can be configured to try to resolve such errors by temporarily enabling
disabled repos and searching for missing dependencies.
To enable this functionality please set 'notify_only=0' in /etc/yum/pluginconf.d/search-disabled-repos.conf
**********************************************************************

Error: Package: docker-ce-18.03.0.ce-1.el7.centos.x86_64 (docker-ce-stable)
           Requires: container-selinux >= 2.9
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest

Changing notify_only to 0 in /etc/yum/pluginconf.d/search-disabled-repos.conf is fixing it.
Can we automate this? Or can I bypass this?

If you add another task:

• name: Create directory for docker proxy settings
  become: true
  shell: |
  mkdir -p /etc/systemd/system/docker.service.d
  echo >>/etc/systemd/system/docker.service.d/http-proxy.conf Environment="HTTP_PROXY=$http_proxy"
  echo >>/etc/systemd/system/docker.service.d/http-proxy.conf Environment="HTTP_PROXY=$http_proxy"
  echo >>/etc/systemd/system/docker.service.d/http-proxy.conf Environment="NO_PROXY=$no_proxy"

that uses the environment setting on the box (/etc/environment) and populates the Docker Proxy settings, it is a big help.

When using this role, the user gets warnings as follows;

[DEPRECATION WARNING]: The use of 'include' for tasks has been deprecated. Use 'import_tasks' for static inclusions or
'include_tasks' for dynamic inclusions. This feature will be removed in a future release. Deprecation warnings can be disabled by
setting deprecation_warnings=False in ansible.cfg.

There are currently three pull requests that fix this issue:

• #37
• #39
• #41

It may make sense to wait a couple more releases before making this merge as pointed out in comments on #37

I'm opening this ticket so people find this before opening another PR. :)

If you're setting restart policies on your containers and you reboot, if the docker daemon is not up automatically, you have to restart services by hand. The docker documentation shows us that we can:

$ sudo systemctl enable docker

I think that'd be nice to have this configurable in this role.

If we're in agreement, I'll submit a PR.

The quote from Docker documentation

Unless you have a strong reason not to, install the linux-image-extra-* packages, which allow Docker to use the aufs storage drivers.

$ sudo apt-get update

$ sudo apt-get install \
   linux-image-extra-$(uname -r) \
  linux-image-extra-virtual

Source: Recommended extra packages for Trusty 14.04

Recommended packages are not installed by the current role. Should be?

Looks like the older version of Python and it's lack of SNI support strikes again.

This role won't succeed against Ubuntu 14.04, due to its python 2.7.5 version and the lack of support for SNI.

I guess download.docker.com didn't used to require SNI? This sort of thing sometimes happens when services change CDN providers.

Might consider adding ubuntu 14.04 to travis, to catch situations like this.

Log attached:

TASK [geerlingguy.docker : Add Docker apt key.] ********************************
changed: [ubuntu_16_04]
fatal: [ubuntu_14_04]: FAILED! => {"changed": false, "failed": true, "msg": "Failed to validate the SSL certificate for download.docker.com:443. Make sure your managed systems have a valid CA certificate installed. If the website serving the url uses SNI you need python >= 2.7.9 on your managed machine or you can install the `urllib3`, `pyopenssl`, `ndg-httpsclient`, and `pyasn1` python modules to perform SNI verification in python >= 2.6. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible. The exception msg was: [Errno 1] _ssl.c:510: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure."}```

Hi,

I have tried to use this repo with ubuntu 18.04, but it fails.
Also I have seen this commit declaring that its not compatible.

Are you planning to add support for Ubuntu 18.04 in the next time?

In my opinion, a role should be able to run without defining become: true in the playbook. Only certain blocks should require become: true:

TASK [geerlingguy.docker : Ensure old versions of Docker are not installed.] *************************************************************************
ok: [localhost] => (item=docker)
ok: [localhost] => (item=docker-common)
ok: [localhost] => (item=docker-engine)

TASK [geerlingguy.docker : Add Docker GPG key.] ******************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "error: cannot open Packages index using db5 - Permission denied (13)\nerror: cannot open Packages database in /var/lib/rpm\nerror: /tmp/tmp783Lbf: key 1 import failed.\n"}
	to retry, use: --limit @/home/user/dev/ansible/dev-machine.retry

PLAY RECAP *******************************************************************************************************************************************
localhost

Hello Jeff,

I'm wondering how long are we all going to run on 1.x versions of docker, and running the latest docker version - 17.3.xx?

Ensure depdencies are installed

https://github.com/geerlingguy/ansible-role-docker/blob/master/tasks/setup-Debian.yml#L10

Deleted

Using version 2.5.0, I receive the following while executing the role using the devel branch:

TASK [geerlingguy.docker : Ensure dependencies are installed.] ***********************************************************************************************************************
[DEPRECATION WARNING]: Invoking "apt" only once while using a loop via squash_actions is deprecated. Instead of using a loop to supply multiple items and specifying `name: {{ item 
}}`, please use `name: [u'apt-transport-https', u'ca-certificates']` and remove the loop. This feature will be removed in version 2.11. Deprecation warnings can be disabled by 
setting deprecation_warnings=False in ansible.cfg.
ok: [hostname] => (item=[u'apt-transport-https', u'ca-certificates'])

The fix looks trivial, and will actually make the role more efficient. From the apt module notes:

When used with a loop: each package will be processed individually, it is much more efficient to pass the list directly to the name option.

According to master the docker-compose version is 1.16.1, but 2.10 refers to 1.13

I have been using the role with success on to create amis based off the following search patterns (and always getting the most recent result):

*debian-jessie-amd64-hvm*
*ubuntu-bionic-18.04-amd64-server*
*ubuntu-xenial-16.04-amd64-server*

However when attempting with:

*debian-stretch-amd64-hvm*

the role fails as follows:

    amazon-ebs: TASK [docker : Add Docker repository.] *****************************************
    amazon-ebs: Wednesday 21 November 2018  16:18:44 +0200 (0:00:00.092)       0:01:05.876 ****
    amazon-ebs: An exception occurred during task execution. To see the full traceback, use -vvv. The error was: Shared connection to 127.0.0.1 closed.
    amazon-ebs: fatal: [default]: FAILED! => changed=false
    amazon-ebs:   module_stderr: |-
    amazon-ebs:     Traceback (most recent call last):
    amazon-ebs:       File "/home/admin/.ansible/tmp/ansible-tmp-1542809924.26-27445738831388/AnsiballZ_apt_repository.py", line 113, in <module>
    amazon-ebs:         _ansiballz_main()
    amazon-ebs:       File "/home/admin/.ansible/tmp/ansible-tmp-1542809924.26-27445738831388/AnsiballZ_apt_repository.py", line 105, in _ansiballz_main
    amazon-ebs:         invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
    amazon-ebs:       File "/home/admin/.ansible/tmp/ansible-tmp-1542809924.26-27445738831388/AnsiballZ_apt_repository.py", line 48, in invoke_module
    amazon-ebs:         imp.load_module('__main__', mod, module, MOD_DESC)
    amazon-ebs:       File "/tmp/ansible_apt_repository_payload_a7mtty/__main__.py", line 550, in <module>
    amazon-ebs:       File "/tmp/ansible_apt_repository_payload_a7mtty/__main__.py", line 542, in main
    amazon-ebs:       File "/usr/lib/python2.7/dist-packages/apt/cache.py", line 464, in update
    amazon-ebs:         raise FetchFailedException(e)
    amazon-ebs:     apt.cache.FetchFailedException: E:The repository 'https://download.docker.com/linux/debian NA Release' does not have a Release file.

Hey, we're thinking about setting up a scheduled task to run docker system prune regularly - would you welcome such a PR?

It doesn't seem like the EE version of Docker is available in the source we are looking up here 🤔

Request failed", "response": "HTTP Error 404: Not Found", "state": "absent", "status_code": 404, "url": "https://download.docker.com/linux/centos/docker-ee.repo"}

Currently there's no option to specify a specific docker version, which is desired in the case for something like a Kubernetes (which at the moment requires a 17.03.x version), or keeping all installations consistent across a set of servers without necessarily moving them all to the latest version.

At the moment I fixed this by overriding the docker_package variable for those specific hosts like this, but this only works for Ubuntu hosts:

# Explicitly set the version of docker to be installed to the one here:
docker_version: '17.03.2'
docker_package: 'docker-{{docker_edition}}={{docker_version}}~{{docker_edition}}-0~{{ansible_distribution|lower}}-{{ansible_distribution_release}}'

Not sure how this would be handled best, but you need some version specific handling per distribution, since the "version" part of the package name already uses a different separator between apt (which uses =) and yum (which uses -).

It would be nice if this could be generalized somehow, but I don't need yum support at the moment, so my 'quick hack' works at the moment.

Hi, amazing role !
I'd like to have the daemon.json configured as this when installing with the role:

{
    "default-runtime": "nvidia",
    "default-shm-size": "1G",
    "runtimes": {
        "nvidia": {
            "path": "nvidia-container-runtime",
            "runtimeArgs": []
        }
    }
}

Which approach do you think would support doing that.
Can I extend your role somehow and deploy the file manually ?
Thanks.

• role: 1.22

  • ansible-role-docker/defaults/main.yml

    Line 14 in fa1a568

    docker_compose_version: "1.22.0"

• role: 1.26.0
  • https://github.com/geerlingguy/ansible-role-docker/blob/master/defaults/main.yml#L14
• latest: 1.26.2
  • #221
  • https://pypi.org/project/docker-compose/#history

Workaround: set docker_compose_version: 1.26 in inventory (#2)

ansible_distribution_release does not work properly on Debian buster for unclear reasons (it resolves to NA rather than buster). See ansible/ansible#19874

Using ansible_lsb.codename rather than ansible_distribution_release for the docker apt repository would solve this problem, or potentially checking for buster and setting manually as a workaround. I realize that the underlying issue is in ansible itself, but that still makes this not work by default which makes for a frustrating experience.

Hi thanks for making this role. I have some feedback. I think that this role should consider adding a user to the docker group to allow users to run docker

See #97 — basically, to fix that issue I'm adding a shim that fixes running Docker 18.09.0 on any systemd/containerd system (basically anything this role supports besides CentOS 6 and Ubuntu 14.04).

This issue is postponed until the next release of Docker, at which time I'll revert that commit.

Using version 2.5.0, I receive the following while executing the role using the devel branch:

TASK [geerlingguy.docker : Ensure Docker is started and enabled at boot.] ************************************************************************************************************
ok: [hostname]
 [WARNING]: flush_handlers task does not support when conditional

As the flush always triggers, regardless of when, I propose removing the when to fix the warning.

fatal: [174.138.8.0]: FAILED! => {"changed": false, "msg": "Failed to import docker-py - No module named requests.exceptions. Try pip install docker-py"}

See related issue/motivation: geerlingguy/raspberry-pi-dramble#100

Basically, make it so you can use the Docker install 'convenience script' on platforms where it's required (e.g. Raspbian).

Hello,

For strange reasons, when I install docker and docker-compose with this role, the docker-compose binary is not available for all users. It work with the 'root' user but not with users with restricted privileges (i believe this is a $PATH issue).

I have solved the problem by creating a symlink to the current binary:
ln -s /usr/local/bin/docker-compose /bin/docker-compose.

I can add the symlink to the role, but maybe there is a better way ?

I use a fresh VM with minimal installation of the latest Centos7.

I have a simple playbook

- hosts: virt
  vars:
    firewall_allowed_tcp_ports:
    - "22"
  roles:
    - firewall
    - docker

After successfull completion running docker run -p 1234:1234 hello-world results in:

docker: Error response from daemon: driver failed programming external connectivity on endpoint amazing_mestorf (3dcbb599298bbd13e3769ef93d5659c25185f143f819250dc9a67f80caefe31c): (iptables failed: iptables --wait -t filter -A DOCKER ! -i docker0 -o docker0 -p tcp -d 172.17.0.2 --dport 1234 -j ACCEPT: iptables: No chain/target/match by that name. (exit status 1)).

Workaround is to restart the Docker service

I love your Ansible Roles -- but the major no-go for me is the fact I can't override the storage driver easily.

https://download.docker.com had been block ,so I　change to aliyun.
follow is my conf in vars,but it can't install docker-ce

Used only for RedHat/CentOS/Fedora.

docker_yum_repo_url: http://mirrors.aliyun.com/docker-ce/linux/{{ (ansible_distribution == "Fedora") | ternary("fedora","centos") }}/docker-{{ docker_edition }}.repo
docker_yum_repo_enable_edge: 0
docker_yum_repo_enable_test: 0

Hi @geerlingguy ,
thanks for implemeting this almost perfect role! One of last steps towards perfection would be to re-login user when she was added to the 'docker' group, at least when username matches ansible remote user:

roles:
    - { role: geerlingguy.docker, docker_users: ['{{ ansible_user_id }}'], become: yes }

Problem is that I cannot use the docker_container in the same play otherwise (without privilege escalation), because login+logout is required for group assigment to take effect.

Since Docker loves changing the entire ecosystem every year or so, in the time between creating this role and now, the recommended installation method has changed entirely: https://docs.docker.com/engine/installation/linux/centos/#install-using-the-repository

I haven't looked at the docs on Debian quite yet, but I need to update all the things for CentOS at least:

• Use docker-ce as the package to install by default (but leave this configurable so people can install docker-ee if they need it).
• Switch the Yum repo URL (and make it a configurable option so people can install from the EE repos if they like).
• Set up the Yum repo to allow the choice of the Edge release channel.

When the docker_users var is used, the user's primary group is set to docker. This is probably undesirable in most cases, and instead docker be added to the list of the user's supplementary groups.

What do you think about offering the possibility to upgrade Docker version by simply not hard-code state=present

Example from other role (random pick) https://github.com/angstwad/docker.ubuntu/blob/master/tasks/main.yml#L97

Any plans to include windows platforms in this role?

I'm seeing the following two deprecation warnings when running this role under Ansible 2.5 or later:

TASK [geerlingguy.docker : Ensure curl is present (on older systems without SNI).] *************************************
[DEPRECATION WARNING]: Using tests as filters is deprecated. Instead of using `result|failed` instead use `result is 
failed`. This feature will be removed in version 2.9. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.
skipping: [192.168.44.3]

TASK [geerlingguy.docker : Add Docker apt key (alternative for older systems without SNI).] ****************************
[DEPRECATION WARNING]: Using tests as filters is deprecated. Instead of using `result|failed` instead use `result is 
failed`. This feature will be removed in version 2.9. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.
skipping: [192.168.44.3]

# fc29
dnf install -y docker docker-compose

# docker-1.13.1-62.git9cb56fd.fc29.src.rpm
# docker-compose-1.22.0-2.fc29.src.rpm

# fc32
dnf install -y moby-engine docker-compose

What's a good way to make this (only installing from a limited set of package repos) optional?

Docker Compose isn't installed by default on Linux, so we need to install it separately (optionally). See the Install Docker Compose documentation.

It looks like it's as simple as downloading the binary straight to a path in $PATH, but I want to make sure there are no particular gotchas and it's as configurable as it needs to be.

Is there a way to pin to a specific version so that apt-get upgrade does not upgrade Docker and Docker Compose?

It seems that we are looking for a docker service that is nonexistant.

I am testing this in a docker container 'centos:7'. so it fails on line /geerlingguy.docker/tasks/main.yml:11

any ideas? Docker in Docker should not cause issues right?

Just to leave a comment that may help other people. I am using AWSLinux on Vagrant (image hbsmith/awslinux).
To install docker on it, you have to set docker_packageto docker and you are all good.

I've had some trouble getting your Kubernetes role to work in a Vagrant environment so I decided to try Docker Swarm and it was a whole lot easier to create a cluster. Yeah, I know it's not as complicated but it would be nice to have some functionality similar to your Kubernetes role in this role. I've got an idea on how to set it up and I'd like to get a pull request in for it. Please let me know if this something you'd be interested in having as a part of this role.

although

docker_compose_version: "1.22.0" is defined

the local version remains outdated

docker-compose --version
docker-compose version 1.13.0, build 1719ceb

after running this role

Debugging

It seems that the full path has to be specified as just running docker-compose fails, while docker-compose itself exists in /usr/local/bin

TASK [geerlingguy.docker : debug] **********************************************
ok: [localhost] => {
    "docker_compose_current_version": {
        "changed": false, 
        "cmd": "docker-compose --version", 
        "failed": false, 
        "failed_when_result": false, 
        "msg": "[Errno 2] No such file or directory", 
        "rc": 2
    }
}

When using this role on a freshly-deployed Ubuntu 16.04 host, we are getting the following error:

Unable to restart service docker: Job for docker.service failed because the control process exited with error code. See \"systemctl status docker.service\" and \"journalctl -xe\" for details.\n

Hi, it would be very useful to define the proxy variable for docker.

I have to assume you run your ansible as root. When I try to run your scripts, it all fails with permissions. I have to update each task with become: true, then it all runs perfect.

It's plausible someone is installing this role because they're planning to execute an Ansible docker_container task, however this task depends on the python docker package to function.

It'd be great if this role added this package directly, to avoid having to check for it in dependent roles.

With the current logic, you're stuck with the version of Docker Compose you originally downloaded, forever. Make it so the role upgrades if you set a newer docker_compose_version.

This role seems to delete and reinstall Docker Compose every time on both a macOS 10.13.6 target and a Centos 7 target.

TASK [geerlingguy.docker : Delete existing docker-compose version if it's different.] *************
changed: [hostname]

TASK [geerlingguy.docker : Install Docker Compose (if configured).] *******************************
changed: [hostname]

Not sure if I have something configured incorrectly. These are the only configurations that I think are related to the role:

# geerlingguy.docker settings
pip_install_packages:
  - name: docker
  - name: docker-compose
docker_users:
  - user1
  - user2

Let me know what kind of other information you'd like me to share.