docker(role): provide option to set up gVisor (runsc runtime)

2026-05-21 03:02:38 +02:00 · 2026-05-21 03:02:38 +02:00 · f956ed6f35
commit f956ed6f35
parent d4a1dee108
8 changed files with 69 additions and 19 deletions
--- a/roles/docker/tasks/main/01_repo_setup.yaml
+++ b/roles/docker/tasks/main/01_repo_setup.yaml
@ -1,15 +1,36 @@
- name: Ensure Dockers GPG key is added
-  ansible.builtin.get_url:
-    url: https://download.docker.com/linux/debian/gpg
-    dest: /etc/apt/trusted.gpg.d/docker.asc
-    mode: "0644"
-    owner: root
-    group: root
-  become: true
+- name: ensure Docker repo
+  block:
+    - name: Ensure Dockers GPG key is added
+      ansible.builtin.get_url:
+        url: https://download.docker.com/linux/debian/gpg
+        dest: /etc/apt/trusted.gpg.d/docker.asc
+        mode: "0644"
+        owner: root
+        group: root
+      become: true

- name: Ensure Docker APT repository is added
-  ansible.builtin.apt_repository:
-    repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/debian {{ ansible_facts['distribution_release'] }} stable"
-    filename: docker
-    state: present
-  become: true
+    - name: Ensure Docker APT repository is added
+      ansible.builtin.apt_repository:
+        repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/debian {{ ansible_facts['distribution_release'] }} stable"
+        filename: docker
+        state: present
+      become: true
+
+- name: ensure gVisor repo
+  when: docker__gvisor_setup
+  block:
+    - name: Ensure gVisors GPG key is added
+      ansible.builtin.get_url:
+        url: https://gvisor.dev/archive.key
+        dest: /etc/apt/keyrings/gvisor.asc
+        mode: "0644"
+        owner: root
+        group: root
+      become: true
+
+    - name: Ensure gVisors APT repository is added
+      ansible.builtin.apt_repository:
+        repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/gvisor.asc] https://storage.googleapis.com/gvisor/releases release main"
+        filename: gvisor
+        state: present
+      become: true
--- a/roles/docker/tasks/main/02_docker_install.yaml
+++ b/roles/docker/tasks/main/02_docker_install.yaml
@ -9,3 +9,12 @@
    state: present
    update_cache: true
  become: true
+
+- name: Ensure gVisors packages are installed
+  when: docker__gvisor_setup
+  ansible.builtin.apt:
+    name:
+      - runsc
+    state: present
+    update_cache: true
+  become: true
--- a/roles/docker/tasks/main/03_docker_config.yaml
+++ b/roles/docker/tasks/main/03_docker_config.yaml
@ -2,10 +2,11 @@
 # - log to systemd journal
 #   https://docs.docker.com/engine/logging/drivers/journald/
 - name: Ensure Docker daemon configuration
-  ansible.builtin.copy:
-    src: daemon.json
+  ansible.builtin.template:
+    src: daemon.json.j2
    dest: /etc/docker/daemon.json
    owner: root
    group: root
    mode: "0644"
  become: true
+  notify: restart the docker service