--- # file: roles/docker/tasks/main.yml - name: "packages prerequisites" apt: name: - ca-certificates - curl - software-properties-common tags: docker - name: "apt package for pip" apt: name: - python3-pkg-resources - python3-setuptools tags: docker - name: "[ubuntu and Debian 11-] module installation with pip needed for ansible control" pip: name: - docker - docker-compose when: ansible_distribution == "Ubuntu" or ( ansible_distribution == "Debian" and ansible_distribution_major_version is version('12', '<')) tags: docker - name: "[Debian 12+] apt install python3-docker for ansible control" apt: name: - python3-docker when: - ansible_distribution == "Debian" - ansible_distribution_major_version is version('12', '>=') tags: docker - name: "apt install docker-compose v1 from debian package" apt: name: - docker-compose tags: docker - name: "remove legacy key from apt-key" apt_key: id: "9DC858229FC7DD38854AE2D88D81803C0EBFCD88" state: absent when: ansible_distribution_major_version is version('13', '<') or ansible_distribution != "Debian" tags: docker - name: "download modern signature key" get_url: url: "https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg" dest: "/dev/shm/docker.acs" changed_when: false tags: docker - name: "check if {{ get_env_var.stdout }}/docker.sock exists" file: path: "/etc/apt/keyrings" state: directory - name: "install modern signature key" shell: cmd: "cat /dev/shm/docker.acs | gpg --dearmor -o /etc/apt/keyrings/docker.gpg" creates: "/etc/apt/keyrings/docker.gpg" tags: docker - name: "repository file" copy: content: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable\n" dest: "/etc/apt/sources.list.d/docker.list" register: repo tags: docker - name: "apt pin docker-ce* version" ansible.builtin.copy: content: | Package: docker-ce* Pin: version 5:{{ docker_pinned }} # Note: priority of 1001 (greater than 1000) allows for downgrading. # To make package downgrading impossible, use a value of 999 Pin-Priority: 1001 dest: "/etc/apt/preferences.d/docker" when: docker_pinned is defined tags: docker - name: "apt make sure that docker-ce version is not pinned" ansible.builtin.file: path: "/etc/apt/preferences.d/docker" state: absent when: docker_pinned is undefined tags: docker - name: "refresh apt if repo was modified" apt: update_cache: true when: repo.changed tags: docker - name: "apt install docker-ce (not pinned)" apt: name: "docker-ce" when: docker_pinned is undefined tags: docker - name: "apt install docker-ce (pinned)" apt: name: "docker-ce" state: latest install_recommends: true when: docker_pinned is defined tags: docker - name: "docker compose v2 package" apt: name: "docker-compose-plugin" tags: docker - name: "stat /usr/local/bin/docker-compose" stat: path: /usr/local/bin/docker-compose register: docker_compose_binary when: - docker_compose - docker_compose_version == "latest" tags: docker - name: "docker-compose: get the latest download link on github" uri: url: https://api.github.com/repos/docker/compose/releases/latest return_content: true check_mode: false register: URL delegate_to: localhost become: false run_once: true when: - docker_compose - docker_compose_version == "latest" - docker_compose_binary.stat.exists and ( docker_compose_update_now == "true" or global_update_now == "true" ) or not docker_compose_binary.stat.exists tags: docker # curl -s https://api.github.com/repos/docker/compose/releases/latest | jq -r '.assets[] | select(.name == "docker-compose-linux-x86_64") | .browser_download_url' - name: "latest docker compose installation" get_url: url: "{{ URL.json | json_query(params) | first }}" dest: "/usr/local/bin/docker-compose" force: True mode: 0755 vars: params: "assets[?name=='docker-compose-linux-x86_64'].browser_download_url" when: - docker_compose - docker_compose_version == "latest" - ( docker_compose_update_now == "true" or global_update_now == "true" ) or not docker_compose_binary.stat.exists tags: docker - name: "docker compose version {{ docker_compose_version }} installation" get_url: url: "https://github.com/docker/compose/releases/download/{{ docker_compose_version }}/docker-compose-linux-x86_64" dest: "/usr/local/bin/docker-compose" force: true mode: 0755 when: - docker_compose - docker_compose_version != "latest" tags: docker - name: "install dependencies when docker_user is not root" apt: name: - systemd-container when: docker_user != "root" tags: docker - name: "make sure that {{ docker_user }} is a member of docker group" ansible.builtin.user: name: "{{ docker_user }}" groups: - docker append: true when: docker_user != "root" tags: docker - name: "setting up docker daemon as non-root" import_tasks: docker-rootless.yml when: docker_rootless tags: docker - name: "docker login user root to remote registry" community.docker.docker_login: registry_url: "{{ item.url }}" username: "{{ item.username }}" password: "{{ item.password }}" loop: "{{ docker_registry_login }}" when: - docker_registry_login is defined - docker_user == "root" tags: docker - name: "docker login user {{ docker_user }} to remote registry" remote_user: root become: true become_method: community.general.machinectl become_user: "{{ docker_user }}" vars: ansible_ssh_pipelining: false # https://github.com/ansible/ansible/issues/81254 community.docker.docker_login: registry_url: "{{ item.url }}" username: "{{ item.username }}" password: "{{ item.password }}" loop: "{{ docker_registry_login }}" when: - docker_registry_login is defined - docker_user != "root" tags: docker