Initial commit on public

ansible/roles/docker-container/.gitignore

+.idea
\ No newline at end of file

ansible/roles/docker-container/.gitlab-ci.yml

+---
+stages:
+  - update_docs
+  - check
+
+ci_job_update_docs:
+  stage: update_docs
+  only:
+    - master
+  script:
+    - "rm -r ${CI_PROJECT_DIR%$CI_PROJECT_PATH}x-collection/docs || true"
+    - "git clone ssh://git@gitlab.xlab.si:13022/x-collection/docs.git ${CI_PROJECT_DIR%$CI_PROJECT_PATH}x-collection/docs"
+    - "make -C ${CI_PROJECT_DIR%$CI_PROJECT_PATH}x-collection/docs/ update-version commit-version"
+
+ci_job_qa_check:
+  stage: check
+  only:
+    - master
+  before_script:
+    - "rm -r ${CI_PROJECT_DIR%$CI_PROJECT_PATH}x-collection/tools/release-scripts || true"
+    - "git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.xlab.si/x-collection/tools/release-scripts.git ${CI_PROJECT_DIR%$CI_PROJECT_PATH}x-collection/tools/release-scripts"
+  script:
+    - make qa-check

ansible/roles/docker-container/.qaconfig

+ANSIBLE_FILES_PATH_MATCH="*/tasks/*"
\ No newline at end of file

ansible/roles/docker-container/CHANGELOG.md

+# Changelog
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
+and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [1.5.0] - 2019-12-06
+### Added
+- ability to specify restart policies for containers (not yet swarm services)
+
+## [1.4.0] - 2019-07-02
+### Changed
+- Add option to use local image for docker container
+
+## [1.3.3] - 2019-06-12
+
+## [1.3.2] - 2019-06-07
+### Fixed
+- tasks that accept arrays will work properly with empty arrays
+
+## [1.3.1] - 2019-04-17
+
+## [1.3.0] - 2019-04-16
+
+## [1.2.2] - 2019-04-16
+
+## [1.2.1] - 2019-04-16
+### Fixed
+- Fix setting dns variable in provision.
+
+## [1.2.0] - 2019-02-25
+
+## [1.1.1] - 2019-01-07
+### Fixed
+- Fix QA issues.
+
+## [1.1.0] - 2019-01-04
+### Changed
+- Change repo path
+- QA task taken from RS
+
+## [1.0.1] - 2018-11-19
+### Fixed
+- Fixed invalid reference format
+
+## [1.0.0] - 2018-11-19
+### Added
+- QA integration
+- Swarm configuration
+
+## [0.0.1] - 2018-11-14
+### Added
+- Initial release

ansible/roles/docker-container/MANIFEST

+VERSION=v1.5.0
+SERVICE=docker-container
\ No newline at end of file

ansible/roles/docker-container/Makefile

+-include ../../../tools/release-scripts/src/MakefileQA

ansible/roles/docker-container/README.md

+# Ansible role for deploying docker containers
+This role will pull and run your docker images.
+
+
+## Including into your repository
+This role you can use in your project as subtree:
+`git subtree add --prefix=ansible/roles/docker-container ssh://git@gitlab.xlab.si:13022/x-collection/deployment/ansible-roles/docker-container.git master --squash`
+
+And later you can update it to latest version with following command:
+`git subtree pull --prefix=ansible/roles/docker-container ssh://git@gitlab.xlab.si:13022/x-collection/deployment/ansible-roles/docker-container.git master --squash`
+
+
+## Usage
+Docker service you can run as:
+- `docker`: docker container
+- `swarm`: swarm service
+- `service`: systemd service
+
+
+### Playbook
+In your playbook you define play for `docker-container` role:
+
+```yaml
+- hosts: nexus
+  become: yes
+  pre_tasks:
+    - import_tasks: "{{ ansible_dir }}/globals/vars.yml"
+  roles:
+    - role: docker-container
+      service_name: proxy
+      service_type: 'docker'
+      service_has_config: True
+      service_config_format: cfg
+      service_config_path: /config.cfg
+      service_ports:
+        - "80:80"
+        - "443:443"
+        - "8888:8888"
+      service_image: "{{ images.proxy }}:{{ versions.proxy }}"
+```
+
+In above example we import pre task for setting optional variables:
+- `main_dns`
+- `network`

ansible/roles/docker-container/tasks/certs/ca_cert.yml

+---
+- name: check if ca cert secret already exists
+  command: docker secret inspect ca-cert-sec
+  register: ca_cert_exists
+  ignore_errors: True
+
+- name: remove ca cert secret if it already exists
+  command: docker secret rm ca-cert-sec
+  when: ca_cert_exists is succeeded
+
+- name: create ca cert secret
+  command: docker secret create ca-cert-sec {{ ca_cert_path }}

ansible/roles/docker-container/tasks/certs/cert.yml

+---
+- name: check if cert-sec secret already exists
+  command: docker secret inspect cert-sec
+  register: cert_exists
+  ignore_errors: True
+
+- name: remove cer-sec secret if it already exists
+  command: docker secret rm cert-sec
+  when: cert_exists is succeeded
+
+- name: create cert-sec secret
+  command: docker secret create cert-sec {{ cert_path }}
+
+- name: check if key secret already exists
+  command: docker secret inspect cert-key-sec
+  register: key_exists
+  ignore_errors: True
+
+- name: remove key secret if it already exists
+  command: docker secret rm cert-key-sec
+  when: key_exists is succeeded
+
+- name: create key secret
+  command: docker secret create cert-key-sec {{ cert_key_path }}

ansible/roles/docker-container/tasks/configs/copy_config.yml

+---
+- name: create config path
+  become: yes
+  file:
+    path: "{{ service_config_dir }}"
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+
+- name: copy config template to remote host
+  template:
+    src: "{{ ansible_dir }}/../config/{{ service_name }}.{{ service_config_format }}.j2"
+    dest: "{{ service_config_dir }}/{{ service_name_altered }}.{{ service_config_format }}"
+    mode: 0644
+  register: config_changed

ansible/roles/docker-container/tasks/configs/copy_configs.yml

+---
+- name: create config dirs
+  become: yes
+  file:
+    path: "{{ service_config_dir }}/{{ service_name_altered }}{{ item.path | dirname }}"
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+  with_items: "{{ service_configs }}"
+
+- name: copy configs templates to remote host
+  template:
+    src: "{{ ansible_dir }}/../config/{{ service_name }}{{ item.path }}.j2"
+    dest: "{{ service_config_dir }}/{{ service_name_altered }}{{ item.path }}"
+    mode: "{{ '0644' if item.permissions is not defined else item.permissions }}"
+  with_items: "{{ service_configs }}"

ansible/roles/docker-container/tasks/configs/secret.yml

+---
+- name: check if config secret already exists
+  command: docker secret inspect {{ service_name_altered }}-config
+  register: secret_exists
+  ignore_errors: True
+
+- name: remove secret if it already exists
+  command: docker secret rm {{ service_name_altered }}-config
+  when: secret_exists is succeeded and config_changed.changed
+
+- name: create secret from service config file
+  command: docker secret create {{ service_name_altered }}-config {{ service_config_dir }}/{{ service_name_altered }}.{{ service_config_format }}
+  when: secret_exists is failed or config_changed.changed

ansible/roles/docker-container/tasks/configs/secrets.yml

+---
+
+- name: remove secrets if it already exists
+  command: docker secret rm {{ service_name_altered }}-{{ item.id }}
+  ignore_errors: true
+  with_items: "{{ service_configs }}"
+
+- name: create secrets from service config files
+  command: docker secret create {{ service_name_altered }}-{{ item.id }} {{ service_config_dir }}/{{ service_name_altered }}{{ item.path }}
+  with_items: "{{ service_configs }}"

ansible/roles/docker-container/tasks/docker.yml

+---
+- import_tasks: facts/container.yml
+
+- name: Check if {{ service_name_altered }} already running
+  command: docker inspect {{ service_name_altered }}
+  register: service_running
+  ignore_errors: true
+
+- meta: end_play
+  when: no_restart is defined and no_restart and not force_restart and service_running is succeeded and service_running.stdout == 'running'
+
+- name: If {{ service_name_altered }} already running, remove it
+  command: docker rm -f {{ service_name_altered }}
+  when: service_running is succeeded
+
+- name: Run service {{ service_name_altered }}
+  command: docker run -d {{ start_args }}
+  when: run_to_completion is undefined or run_to_completion is defined and not run_to_completion
+
+- name: Run and check result {{ service_name_altered }}
+  command: docker run --rm {{ start_args }}
+  register: service_run_result
+  when: run_to_completion is defined and run_to_completion

ansible/roles/docker-container/tasks/facts/common.yml

+---
+- name: set logger variables when service uses bunyan logger
+  set_fact: log_arg="-e BUNYAN_LOG_PREFIX={{ service_name_altered }} -e BUNYAN_LOG_LEVEL={{ service_log_level }}"
+  when: service_bunyan_logger is defined and service_bunyan_logger
+
+- name: set logger variables to empty when service doesn't use bunyan logger
+  set_fact: log_arg=""
+  when: service_bunyan_logger is not defined or not service_bunyan_logger
+
+- name: set environment vars for run command
+  set_fact: env_arg="{{ '-e ' ~ service_env_vars | join(' -e ') + ' ' + log_arg}}"
+  when: service_env_vars is defined and service_env_vars | length > 0
+
+- name: set environment vars arg to log_arg when service doesn't need custom environment variables
+  set_fact: env_arg={{ log_arg }}
+  when: service_env_vars is not defined or service_env_vars  | length == 0
+
+- name: Set port argument to empty when service doesn't need exposed ports
+  set_fact: port_arg=""
+  when: service_ports is not defined or service_ports | length == 0
+
+- name: Set port argument for run command
+  set_fact: port_arg="{{ '-p ' ~ service_ports | join(' -p ') }}"
+  when: service_ports is defined and service_ports | length > 0
+
+- name: Set sys admin to empty
+  set_fact: sys_admin_arg=""
+  when: sys_admin is not defined or not sys_admin
+
+- name: Set sys admin if it is
+  set_fact: sys_admin_arg="--cap-add SYS_ADMIN "
+  when: sys_admin is defined and sys_admin
+
+- name: Set external dns command to empty
+  set_fact: external_dns_arg=""
+  when: external_dns is not defined or not external_dns
+
+- name: Set external dns command if service requires it
+  set_fact: external_dns_arg="--dns 8.8.8.8"
+  when: external_dns is defined and external_dns
+
+- name: Set default dns arg
+  set_fact: dns_arg="--dns=172.17.0.1 "
+  when: main_dns is not defined or not main_dns
+
+- name: Set dns arg
+  set_fact: dns_arg="{{ '--dns=' ~ main_dns }}"
+  when: main_dns is defined
+
+- name: Set network arg to empty
+  set_fact: network_arg=""
+  when: network is not defined
+
+- name: Set network arg
+  set_fact: network_arg="{{ '--network ' ~ docker_network }}"
+  when: attach_to_network is defined and attach_to_network
+
+- name: set mounts argument to empty
+  set_fact: mount_arg=""
+  when: service_mounts is not defined or service_mounts | length == 0
+
+- name: Set mounts arguments if defined
+  set_fact: mount_arg="{{ '-v ' ~ service_mounts | join(' -v ') }}"
+  when: service_mounts is defined and service_mounts | length > 0
+
+- name: Set mounts arguments using extended syntax if defined
+  set_fact: mount_ext_arg="{{ '--mount ' ~ service_mounts_extended | join(' --mount ') }}"
+  when: service_mounts_extended is defined and service_mounts_extended | length > 0
+
+- name: set extended mounts argument to empty
+  set_fact: mount_ext_arg=""
+  when: service_mounts_extended is not defined or service_mounts_extended | length == 0

ansible/roles/docker-container/tasks/facts/container.yml

+---
+- name: Set mount config argument to empty
+  set_fact: mount_config_arg=""
+
+- name: Set mount config argument for run command
+  set_fact: mount_config_arg="-v {{ service_config_dir }}/{{ service_name_altered }}.{{ service_config_format }}:{{ service_config_path }}:ro"
+  when: service_has_config  is defined and service_has_config
+
+- name: set mount config argument for configs {{ service_name_altered }}
+  set_fact: >
+            mount_config_arg="{{ mount_config_arg }}
+            -v {{ service_config_dir }}/{{ service_name_altered }}{{ item.path }}:{{ item.path }}:{{ 'ro' if item.mount_mode is not defined else item.mount_mode }}"
+  when: service_has_configs is defined and service_has_configs
+  with_items: "{{ service_configs }}"
+
+- name: set restart policy arg to empty
+  set_fact: restart_arg=""
+
+- name: set restart policy arg if service needs it
+  set_fact: restart_arg="--restart {{ restart_policy }}"
+  when: restart_policy is defined
+
+- name: set max retries if using on-failure restart policy
+  set_fact: restart_arg="{{ restart_arg }}:{{ max_retries }}"
+  when: restart_policy is defined and restart_policy == 'on-failure' and max_retries is defined
+
+- name: Pull {{ service_image }} image before running
+  command: docker pull {{ service_image }}
+  when: service_use_local_image is not defined or not service_use_local_image
+
+- name: Set docker service start arguments
+  set_fact: >
+            start_args="--name {{ service_name_altered }} {{ port_arg }} {{ mount_config_arg }} {{ mount_arg }}
+            {{ mount_ext_arg}} {{ sys_admin_arg }} {{ env_arg }} {{ dns_arg }} {{ external_dns_arg }}  {{ network_arg }}
+            {{ restart_arg }} -e SERVICE_NAME={{ service_name_altered }} {{ service_image }}"

ansible/roles/docker-container/tasks/main.yml

+---
+- meta: end_play
+  when: dev_service is defined and dev_service and (dev_mode is not defined or not dev_mode)
+
+- name: set altered service name as default
+  set_fact: service_name_altered="{{ service_name }}"
+
+- name: set prefix to altered service name
+  set_fact: service_name_altered="{{ service_prefix }}{{ service_name_altered }}"
+  when: service_prefix is defined
+
+- name: set psotfix to altered service name
+  set_fact: service_name_altered="{{ service_name_altered }}{{ service_postfix }}"
+  when: service_postfix is defined
+
+- import_tasks: configs/copy_config.yml
+  when: service_has_config is defined and service_has_config
+
+- import_tasks: configs/copy_configs.yml
+  when: service_has_configs is defined and service_has_configs
+
+- import_tasks: facts/common.yml
+
+- import_tasks: service.yml
+  when: service_type is defined and service_type == 'service'
+
+- import_tasks: docker.yml
+  when: service_type is defined and service_type == 'docker'
+
+- import_tasks: swarm.yml
+  when: service_type is undefined or service_type == 'swarm'

ansible/roles/docker-container/tasks/service.yml

+---
+- import_tasks: facts/container.yml
+
+- name: Check if {{ service_name_altered }} already running
+  command: docker inspect {{ service_name_altered }}
+  register: service_running
+  ignore_errors: true
+
+- meta: end_play
+  when: no_restart is defined and no_restart and not force_restart and service_running is succeeded and service_running.stdout == 'running'
+
+- name: If {{ service_name_altered }} already running, remove it
+  command: docker rm -f {{ service_name_altered }}
+  when: service_running is succeeded
+
+- name: Add systemd unit for {{ service_name_altered }}
+  template:
+    src: "systemd.service.j2"
+    dest: "/etc/systemd/system/docker-{{ service_name_altered }}.service"
+    owner: root
+    group: root
+    mode: 0644
+  register: docker_unit
+
+
+- name: Start systemd service {{ service_name_altered }}
+  systemd: "name=docker-{{ service_name_altered }} state=started enabled=yes daemon_reload=yes"
+  when: (docker_unit|changed)
+
+# - name: Restart systemd service {{ service_name_altered }}
+#  systemd: "name=docker-{{ service_name_altered }} state=restarted enabled=yes daemon_reload=yes"
+#  when: (docker_unit|changed)
+
+- name: explictly enable ip forwarding
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: 1
+    sysctl_set: yes
+    state: present
+    reload: yes

ansible/roles/docker-container/tasks/swarm.yml

+---
+- name: Check if service {{ service_name_altered }} already exists
+  command: docker service inspect {{ service_name_altered }}
+  register: service_exists
+  ignore_errors: True
+
+- meta: end_play
+  when: no_restart is defined and no_restart and not force_restart and service_exists is succeeded
+
+- name: If {{ service_name_altered }} already running, remove it
+  command: docker service rm {{ service_name_altered }}
+  when: service_exists is succeeded
+
+- import_tasks: configs/secret.yml
+  when: service_has_config is defined and service_has_config
+
+- import_tasks: configs/secrets.yml
+  when: service_has_configs is defined and service_has_configs
+
+- name: Set secret config argument to empty
+  set_fact: secret_config_arg=""
+
+- name: Set secret config argument for 1 secret
+  set_fact: secret_config_arg="--secret source={{ service_name_altered }}-config,target={{ service_config_path }}"
+  when: service_has_config is defined and service_has_config
+
+- name: Set secret config argument for multiple secrets
+  set_fact: secret_config_arg="{{ secret_config_arg }} --secret source={{ service_name_altered }}-{{ item.id }},target={{ item.path }}"
+  when: service_has_configs is defined and service_has_configs
+  with_items: "{{ service_configs }}"
+
+- name: set service versions file mount argument to empty if service is not service versions
+  set_fact: versions_arg=""
+
+- name: set service versions file mount argument
+  set_fact: versions_arg="--secret source=service-versions,target={{ service_versions_path }}"
+  when: serve_versions is defined and serve_versions
+
+- name: Run swarm service {{ service_name_altered }}
+  command: >
+           docker service create --name {{ service_name_altered }} {{ port_arg }} {{ versions_arg }}
+           {{ mount_arg }} {{ secret_config_arg }} {{ env_arg }} {{ external_domain_arg }}
+           {{ dns_arg }} {{ external_dns_arg }} {{ network_arg }} --network bridge --with-registry-auth --update-monitor 1s {{ service_image }}

ansible/roles/docker-container/tasks/templates/systemd.service.j2

+[Unit]
+Description={{service_name_altered}}
+Requires=docker.service
+After=docker.service
+
+[Service]
+Restart=always
+RestartSec=30s
+ExecStartPre=-/usr/bin/docker kill {{service_name_altered}}
+ExecStartPre=-/usr/bin/docker rm -f {{service_name_altered}}
+ExecStart=/bin/sh -c "/usr/bin/docker run \
+{{ start_args.split(" -v") | join(' \\\n -v') }} \
+> /dev/null"
+ExecStop=/usr/bin/docker stop -t 60 {{service_name_altered}}
+
+[Install]
+WantedBy=default.target
+