docker(role): provide option to set up gVisor (runsc runtime)

roles/docker/README.md

@@ -16,7 +16,8 @@ None.
 
 ## Optional Arguments
 
-None.
+- `docker__gvisor_setup`: Whether or not to set up [gVisor](https://gvisor.dev/) (`runsc` runtime).  
+  Defaults to `false`.
 
 ## Links & Resources
 

roles/docker/defaults/main.yaml

@@ -0,0 +1 @@
+docker__gvisor_setup: false

roles/docker/handlers/main.yaml

@@ -2,3 +2,9 @@
   ansible.builtin.systemd_service:
     daemon_reload: true
   become: true
+
+- name: restart the docker service
+  ansible.builtin.systemd:
+    name: docker.service
+    state: restarted
+  become: true

roles/docker/meta/argument_specs.yaml

@@ -0,0 +1,6 @@
+argument_specs:
+  main:
+    options:
+      docker__gvisor_setup:
+        type: bool
+        required: false

roles/docker/tasks/main/01_repo_setup.yaml

@@ -1,15 +1,36 @@
-- name: Ensure Dockers GPG key is added
-  ansible.builtin.get_url:
-    url: https://download.docker.com/linux/debian/gpg
-    dest: /etc/apt/trusted.gpg.d/docker.asc
-    mode: "0644"
-    owner: root
-    group: root
-  become: true
+- name: ensure Docker repo
+  block:
+    - name: Ensure Dockers GPG key is added
+      ansible.builtin.get_url:
+        url: https://download.docker.com/linux/debian/gpg
+        dest: /etc/apt/trusted.gpg.d/docker.asc
+        mode: "0644"
+        owner: root
+        group: root
+      become: true
 
-- name: Ensure Docker APT repository is added
-  ansible.builtin.apt_repository:
-    repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/debian {{ ansible_facts['distribution_release'] }} stable"
-    filename: docker
-    state: present
-  become: true
+    - name: Ensure Docker APT repository is added
+      ansible.builtin.apt_repository:
+        repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/debian {{ ansible_facts['distribution_release'] }} stable"
+        filename: docker
+        state: present
+      become: true
+
+- name: ensure gVisor repo
+  when: docker__gvisor_setup
+  block:
+    - name: Ensure gVisors GPG key is added
+      ansible.builtin.get_url:
+        url: https://gvisor.dev/archive.key
+        dest: /etc/apt/keyrings/gvisor.asc
+        mode: "0644"
+        owner: root
+        group: root
+      become: true
+
+    - name: Ensure gVisors APT repository is added
+      ansible.builtin.apt_repository:
+        repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/gvisor.asc] https://storage.googleapis.com/gvisor/releases release main"
+        filename: gvisor
+        state: present
+      become: true

roles/docker/tasks/main/02_docker_install.yaml

@@ -9,3 +9,12 @@
     state: present
     update_cache: true
   become: true
+
+- name: Ensure gVisors packages are installed
+  when: docker__gvisor_setup
+  ansible.builtin.apt:
+    name:
+      - runsc
+    state: present
+    update_cache: true
+  become: true

roles/docker/tasks/main/03_docker_config.yaml

@@ -2,10 +2,11 @@
 # - log to systemd journal
 #   https://docs.docker.com/engine/logging/drivers/journald/
 - name: Ensure Docker daemon configuration
-  ansible.builtin.copy:
-    src: daemon.json
+  ansible.builtin.template:
+    src: daemon.json.j2
     dest: /etc/docker/daemon.json
     owner: root
     group: root
     mode: "0644"
   become: true
+  notify: restart the docker service

roles/docker/templates/daemon.json.j2

@@ -1,7 +1,7 @@
 {
     "log-driver": "journald",
     "log-opts": {
-        "tag": "{{.Name}}"
+        "tag": "{{ '{{.Name}}' }}"
     },
     "ipv6": true,
     "ip6tables": true,
@@ -10,5 +10,10 @@
         "bridge": {
             "com.docker.network.enable_ipv6":"true"
         }
-    }
+    }{% if docker__gvisor_setup %},
+    "runtimes": {
+        "runsc": {
+            "path": "/usr/bin/runsc"
+        }
+    }{% endif %}
 }