From f956ed6f35820751f56e14149845c0f073fa3b23 Mon Sep 17 00:00:00 2001 From: June Date: Thu, 21 May 2026 03:02:38 +0200 Subject: [PATCH] docker(role): provide option to set up gVisor (runsc runtime) --- roles/docker/README.md | 3 +- roles/docker/defaults/main.yaml | 1 + roles/docker/handlers/main.yaml | 6 +++ roles/docker/meta/argument_specs.yaml | 6 +++ roles/docker/tasks/main/01_repo_setup.yaml | 49 +++++++++++++------ .../docker/tasks/main/02_docker_install.yaml | 9 ++++ roles/docker/tasks/main/03_docker_config.yaml | 5 +- .../daemon.json => templates/daemon.json.j2} | 9 +++- 8 files changed, 69 insertions(+), 19 deletions(-) create mode 100644 roles/docker/defaults/main.yaml create mode 100644 roles/docker/meta/argument_specs.yaml rename roles/docker/{files/daemon.json => templates/daemon.json.j2} (59%) diff --git a/roles/docker/README.md b/roles/docker/README.md index b7f38e1..befc005 100644 --- a/roles/docker/README.md +++ b/roles/docker/README.md @@ -16,7 +16,8 @@ None. ## Optional Arguments -None. +- `docker__gvisor_setup`: Whether or not to set up [gVisor](https://gvisor.dev/) (`runsc` runtime). + Defaults to `false`. ## Links & Resources diff --git a/roles/docker/defaults/main.yaml b/roles/docker/defaults/main.yaml new file mode 100644 index 0000000..351f397 --- /dev/null +++ b/roles/docker/defaults/main.yaml @@ -0,0 +1 @@ +docker__gvisor_setup: false diff --git a/roles/docker/handlers/main.yaml b/roles/docker/handlers/main.yaml index ada2426..6c37581 100644 --- a/roles/docker/handlers/main.yaml +++ b/roles/docker/handlers/main.yaml @@ -2,3 +2,9 @@ ansible.builtin.systemd_service: daemon_reload: true become: true + +- name: restart the docker service + ansible.builtin.systemd: + name: docker.service + state: restarted + become: true diff --git a/roles/docker/meta/argument_specs.yaml b/roles/docker/meta/argument_specs.yaml new file mode 100644 index 0000000..6549387 --- /dev/null +++ b/roles/docker/meta/argument_specs.yaml @@ -0,0 +1,6 @@ +argument_specs: + main: + options: + docker__gvisor_setup: + type: bool + required: false diff --git a/roles/docker/tasks/main/01_repo_setup.yaml b/roles/docker/tasks/main/01_repo_setup.yaml index 63bdb91..6105627 100644 --- a/roles/docker/tasks/main/01_repo_setup.yaml +++ b/roles/docker/tasks/main/01_repo_setup.yaml @@ -1,15 +1,36 @@ -- name: Ensure Dockers GPG key is added - ansible.builtin.get_url: - url: https://download.docker.com/linux/debian/gpg - dest: /etc/apt/trusted.gpg.d/docker.asc - mode: "0644" - owner: root - group: root - become: true +- name: ensure Docker repo + block: + - name: Ensure Dockers GPG key is added + ansible.builtin.get_url: + url: https://download.docker.com/linux/debian/gpg + dest: /etc/apt/trusted.gpg.d/docker.asc + mode: "0644" + owner: root + group: root + become: true -- name: Ensure Docker APT repository is added - ansible.builtin.apt_repository: - repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/debian {{ ansible_facts['distribution_release'] }} stable" - filename: docker - state: present - become: true + - name: Ensure Docker APT repository is added + ansible.builtin.apt_repository: + repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/debian {{ ansible_facts['distribution_release'] }} stable" + filename: docker + state: present + become: true + +- name: ensure gVisor repo + when: docker__gvisor_setup + block: + - name: Ensure gVisors GPG key is added + ansible.builtin.get_url: + url: https://gvisor.dev/archive.key + dest: /etc/apt/keyrings/gvisor.asc + mode: "0644" + owner: root + group: root + become: true + + - name: Ensure gVisors APT repository is added + ansible.builtin.apt_repository: + repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/gvisor.asc] https://storage.googleapis.com/gvisor/releases release main" + filename: gvisor + state: present + become: true diff --git a/roles/docker/tasks/main/02_docker_install.yaml b/roles/docker/tasks/main/02_docker_install.yaml index f2ae880..b7334e1 100644 --- a/roles/docker/tasks/main/02_docker_install.yaml +++ b/roles/docker/tasks/main/02_docker_install.yaml @@ -9,3 +9,12 @@ state: present update_cache: true become: true + +- name: Ensure gVisors packages are installed + when: docker__gvisor_setup + ansible.builtin.apt: + name: + - runsc + state: present + update_cache: true + become: true diff --git a/roles/docker/tasks/main/03_docker_config.yaml b/roles/docker/tasks/main/03_docker_config.yaml index 639e8fa..88ee96b 100644 --- a/roles/docker/tasks/main/03_docker_config.yaml +++ b/roles/docker/tasks/main/03_docker_config.yaml @@ -2,10 +2,11 @@ # - log to systemd journal # https://docs.docker.com/engine/logging/drivers/journald/ - name: Ensure Docker daemon configuration - ansible.builtin.copy: - src: daemon.json + ansible.builtin.template: + src: daemon.json.j2 dest: /etc/docker/daemon.json owner: root group: root mode: "0644" become: true + notify: restart the docker service diff --git a/roles/docker/files/daemon.json b/roles/docker/templates/daemon.json.j2 similarity index 59% rename from roles/docker/files/daemon.json rename to roles/docker/templates/daemon.json.j2 index d55e4cb..b6f6025 100644 --- a/roles/docker/files/daemon.json +++ b/roles/docker/templates/daemon.json.j2 @@ -1,7 +1,7 @@ { "log-driver": "journald", "log-opts": { - "tag": "{{.Name}}" + "tag": "{{ '{{.Name}}' }}" }, "ipv6": true, "ip6tables": true, @@ -10,5 +10,10 @@ "bridge": { "com.docker.network.enable_ipv6":"true" } - } + }{% if docker__gvisor_setup %}, + "runtimes": { + "runsc": { + "path": "/usr/bin/runsc" + } + }{% endif %} }