CCCHH/ansible-infra
CCCHH/ansible-infra
2
2
Fork 1
Code Issues 10 Pull requests 10 Wiki Activity Actions

docker(role): provide option to set up gVisor (runsc runtime)

Browse source
This commit is contained in:
June 2026-05-21 03:02:38 +02:00
commit d2ace350b0
Signed by: june
SSH key fingerprint: SHA256:o9EAq4Y9N9K0pBQeBTqhSDrND5E7oB+60ZNx0U1yPe0
8 changed files with 69 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

3
roles/docker/README.md
View file

@ -16,7 +16,8 @@ None.
## Optional Arguments ## Optional Arguments
None. - `docker__gvisor_setup`: Whether or not to set up [gVisor](https://gvisor.dev/) (`runsc` runtime).
Defaults to `false`.
## Links & Resources ## Links & Resources

1
roles/docker/defaults/main.yaml Normal file
View file

@ -0,0 +1 @@
docker__gvisor_setup: false

6
roles/docker/handlers/main.yaml
View file

@ -2,3 +2,9 @@
ansible.builtin.systemd_service: ansible.builtin.systemd_service:
daemon_reload: true daemon_reload: true
become: true become: true
- name: restart the docker service
ansible.builtin.systemd:
name: docker.service
state: restarted
become: true

6
roles/docker/meta/argument_specs.yaml Normal file
View file

@ -0,0 +1,6 @@
argument_specs:
main:
options:
docker__gvisor_setup:
type: bool
required: false

21
roles/docker/tasks/main/01_repo_setup.yaml
View file

@ -1,3 +1,5 @@
- name: ensure Docker repo
block:
- name: Ensure Dockers GPG key is added - name: Ensure Dockers GPG key is added
ansible.builtin.get_url: ansible.builtin.get_url:
url: https://download.docker.com/linux/debian/gpg url: https://download.docker.com/linux/debian/gpg
@ -13,3 +15,22 @@
filename: docker filename: docker
state: present state: present
become: true become: true
- name: ensure gVisor repo
when: docker__gvisor_setup
block:
- name: Ensure gVisors GPG key is added
ansible.builtin.get_url:
url: https://gvisor.dev/archive.key
dest: /etc/apt/keyrings/gvisor.asc
mode: "0644"
owner: root
group: root
become: true
- name: Ensure gVisors APT repository is added
ansible.builtin.apt_repository:
repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/gvisor.asc] https://storage.googleapis.com/gvisor/releases release main"
filename: gvisor
state: present
become: true

9
roles/docker/tasks/main/02_docker_install.yaml
View file

@ -9,3 +9,12 @@
state: present state: present
update_cache: true update_cache: true
become: true become: true
- name: Ensure gVisors packages are installed
when: docker__gvisor_setup
ansible.builtin.apt:
name:
- runsc
state: present
update_cache: true
become: true

5
roles/docker/tasks/main/03_docker_config.yaml
View file

@ -2,10 +2,11 @@
# - log to systemd journal # - log to systemd journal
# https://docs.docker.com/engine/logging/drivers/journald/ # https://docs.docker.com/engine/logging/drivers/journald/
- name: Ensure Docker daemon configuration - name: Ensure Docker daemon configuration
ansible.builtin.copy: ansible.builtin.template:
src: daemon.json src: daemon.json.j2
dest: /etc/docker/daemon.json dest: /etc/docker/daemon.json
owner: root owner: root
group: root group: root
mode: "0644" mode: "0644"
become: true become: true
notify: restart the docker service

7
roles/docker/files/daemon.json → roles/docker/templates/daemon.json.j2
View file

@ -1,7 +1,7 @@
{ {
"log-driver": "journald", "log-driver": "journald",
"log-opts": { "log-opts": {
"tag": "{{.Name}}" "tag": "{{ '{{.Name}}' }}"
}, },
"ipv6": true, "ipv6": true,
"ip6tables": true, "ip6tables": true,
@ -10,5 +10,10 @@
"bridge": { "bridge": {
"com.docker.network.enable_ipv6":"true" "com.docker.network.enable_ipv6":"true"
} }
}{% if docker__gvisor_setup %},
"runtimes": {
"runsc": {
"path": "/usr/bin/runsc"
} }
}{% endif %}
} }