Some modernization / updates / cleanup (#4)

- Updated to use version 3.0 of docker rotate
- Changed install of python deps to happen in a single "pip" step using a requirements file;
otherwise separate pip steps might result in unwanted versions of those dependencies.
- Added support for logging into docker registries, based on config variable.
- Changed pre-pull of packages to use a config variable, not a hardcoded list.
- Updated to do log rotation by size, not time; use built-in Docker rotation for Docker v1.8+
- Removed step that installed inotify-tools.
- Detect docker version instead of relying on "docker_version" variable.
TIL-2663

Author: ostacey

CHANGES.md

@@ -1,7 +1,16 @@
 # Release Change Log
+Version 3.0:
+ - use version 3.0+ of docker rotate
+ - install docker-py, docker-compose, and dockerrotate in a single pip command to avoid
+   them stepping on each other version-wise
+ - log into Docker registries according to config variable.
+ - pre-pull packages according to config variable, not hardcoded list.
+ - do log rotation by size, not by time; use Docker's build-in rotation for Docker version 1.8+
+ - no longer install inotify-tools
+
 Version 2.3:
  - Update 'clear-zombie' script
- 
+
 Version 2.2:
  - restart docker with new config before prefetching images
 

README.md

@@ -1,31 +1,62 @@
-docker base
-===========
+# docker base
 
 This role installs baseline needs for machines running Docker, beyond the Docker Engine itself,
 including:
 
  -  Requirements for running Ansible's `docker` module
- -  Requirements for running Docker containers via `upstart` (optional)
  -  Utilities for garbage collecting unused Docker resources
  -  Customized configurations of the Docker Engine
- -  Installs docker-compose
+ -  Installs docker-compose (optional)
  -  Pulls some common images that we anticipate using in many circumstances
 
-Role Variables
---------------
+## Role Variables
 
 This role expects the following variables:
 
- -  `docker_log_rotate_interval` controls the frequency of Docker log rotation
- -  `docker_log_rotate_count` controls the number of Docker logs to retain
- -  `docker_uses_upstart` defines whether `upstart` support will be installed
- -  `docker_py_version` defines the version of the Docker Python library being used
- -  `docker_compose_version` defines the version of docker-compose to install (defaults to newest)
-
-Note that certain versions of the Docker Engine and Docker Python library are incompatible.
-
-
-Dependencies
-------------
-
-Depends on `docker` and `python`
+ - `docker_py_version` defines the version of the Docker Python library to install, may be
+   "latest", default 1.9.0
+ - `docker_rotate_version` defines the version of the Docker Rotate library to install, default 3.0
+ - `docker_compose_version` defines the version of Docker Compose to install, may be "latest",
+   default 1.8.0. To skip installation of docker_compose, specify `null` or `""`
+ - `docker_rotate_images_arguments`: arguments to pass to "docker-rotate images" when cleanup cron
+   job runs. If blank, job will not be run. Default is "--keep 3 --name ~busybox --tag ~latest".
+   For documentation, see the
+   [docker rotate github page](https://github.com/locationlabs/docker-rotate)
+ - `docker_rotate_untagged_images`: if True, then untagged images will be periodically cleaned up.
+   Default False
+ - `docker_rotate_exited_containers`: if non-empty, exited containers at least this old will be
+   removed when daily cleanup runs. Default 1h.
+   `docker_rotate_created_containers`: if non-empty, created containers - that is, containers that
+   have been created but never started - at least this old will be removed when daily cleanup runs.
+   Default is empty.
+ - `docker_log_rotate_max_size`: Docker's JSON logs for containers will be rotated when they reach
+   this size. Default 10M.
+ - `docker_log_rotate_count`: log files will be rotated this number of times before removal.
+ - `docker_images_to_pull`: list of Docker images; images with these names will be "docker pull"ed
+   when the role is run. Default is empty.
+ - `docker_registries_to_login`: list of maps, each map containing login credentials for a Docker
+   registry. Expected keys are `username`, `password`, `email`, and `url`. The role will attempt to
+   log into each registry described in the list. Default is empty.
+
+Example for `docker_registries_to_login`:
+
+    docker_registries_to_login:
+      - username: foo
+        password: foopwd
+        email: [email protected]
+        url: https://registry.foo.com
+
+### Docker version notes
+Note that certain versions of the Docker Engine and Docker Python library are incompatible. Note
+also that the Ansible "docker" module has compatibility issues.
+
+Specifically:
+ - `docker-py` version 1.1.0 is the highest version that works with `docker` 1.5.0
+ - `docker-py` version 1.2.3 is the highest version that works with the `docker` module in
+   Ansible < 2.0.
+
+## Dependencies
+In order to run this role:
+ - python and pip must be installed.
+ - docker engine must be installed. For a role that installs docker engine, see
+   [here](https://github.com/locationlabs/ansible-role_docker)

defaults/main.yml

@@ -1,17 +1,6 @@
 ---
 
-# Should upstart be used to manage Docker containers?
-#
-# If upstart is not used, Docker containers should be run with
-# the "always" restart policy.
-#
-# If upstart is used, some extra dependencies will be required
-# (e.g. inotify-tools)
-
-docker_uses_upstart: yes
-
-
-# Version of docker-py library to use.
+# Version of docker-py library to use. "latest" to install the latest version.
 #
 # The 1.1.0 version is the most recent version that works with Docker 1.5.0;
 # it has also been shown to work with newer Docker versions (including 1.8.1).
@@ -21,31 +10,53 @@ docker_uses_upstart: yes
 #
 # Versions after 1.2.3 stopped working with the current Ansible docker module
 # (as of Ansible 1.9.2).
+docker_py_version: "1.9.0"
 
-docker_py_version: 1.2.3
-
+# Version of docker-compose to use.
+# 'latest' to install the newest version, null or empty string to install nothing.
+docker_compose_version: "1.8.0"
 
-# Version of docker-rotate to use.
+# Version of docker-rotate to use. Versions lower than 3.0 are not supported due
+# to API changes.
 #
 # https://github.com/locationlabs/docker-rotate
-docker_rotate_version: 2.0.1
+docker_rotate_version: "3.0"
 
+# These properties govern Docker Rotate configuration. https://github.com/locationlabs/docker-rotate
 
-# Python regex of image names to remove. Use a '~' prefix for negative match.
-#
-# https://github.com/locationlabs/docker-rotate
-docker_rotate_containers_images_regex: ~busybox
+# Arguments to pass to "docker-rotate images" - pass False or empty string to not call command at
+# all .
+docker_rotate_images_arguments: "--keep 3 --name ~busybox --tag ~latest"
 
-# Log rotate interval. Log files will be rotated after this interval.
+# Should docker-rotate remove untagged images?
+docker_rotate_untagged_images: True
 
-docker_log_rotate_interval: "daily"
+# How long should docker-rotate retain exited containers? Specify a duration to keep containers
+# that long, "0" to remove them immediately, or an empty string to skip cleanup.
+docker_rotate_exited_containers: "1h"
 
+# How long should docker-rotate retain "created" containers? Specify a duration to keep containers
+# that long, "0" to remove them immediately, or an empty string to skip cleanup.
+# Note that old-style "data" containers are in the "created" state.
+docker_rotate_created_containers: ""
 
-# Log files are rotated <log_rotate_count>  times  before  being  removed. 
-# If count is 0, old versions are removed rather then rotated.
+# In Docker <1.8, log rotation is implemented using logrotate; in Docker 1.8+, default Docker
+# settings are used.
+
+# log rotation max size. Log files will rotate when they reach this size.
+docker_log_rotate_max_size: 10M
 
+# Log files are rotated <log_rotate_count> times before being removed.
+# If count is 0, old versions are removed rather then rotated.
 docker_log_rotate_count: 3
 
-# Version of docker-compose to use.
-# 'latest' to install the newest version
-docker_compose_version: latest
+# List of docker images to pull (at latest version) when role is run.
+docker_images_to_pull: []
+
+# list of Docker registries to log in to; this is a list of dicts, eg:
+# docker_registries_to_login:
+#   - username: foo
+#     password: foopwd
+#     email: [email protected]
+#     url: https://registry.foo.com
+docker_registries_to_login: []

tasks/main.yml

@@ -1,43 +1,70 @@
 ---
 
-- name: install inotify-tools
-  apt: pkg=inotify-tools force=yes
-  when: docker_uses_upstart
+# The role knows how to write docker_rotate commands for the version 3.0 API, not for earlier
+# versions. 
+- name: check minimum docker_rotate version
+  fail: msg="specified docker_rotate version is {{ docker_rotate_version }}, must be at least 3.0"
+  when: "{{ docker_rotate_version | version_compare('3.0', '<') }}"
 
-- name: install docker-py
-  pip: name=docker-py version="{{ docker_py_version }}"
+# Note escaping required here - we need to pass "{{ .Server.Version }}" to Docker without it
+# being escaped by Ansible. However, normal ways of escaping it will result in the command
+# containing that string, and when we register the result the "cmd" field on the result will also
+# contain it. So next time any kind of templating command is run, Ansible will try to resolve
+# template expressions in all of its variables, including that one, and will show an error.
+# Hence this workaround with shell.
+# In Ansible 2.0, they added the "!unsafe" keyword, which may provide a cleaner way to resolve
+# this.
+- name: Verify that docker is installed and determine installed version
+  shell: 'B="{" && docker version -f "$B$B .Server.Version }}"'
+  changed_when: False
+  always_run: True
+  register: docker_version_result
 
-- name: install docker-rotate
-  pip: name=dockerrotate version="{{ docker_rotate_version}}"
+- name: store installed docker version
+  set_fact:
+    installed_docker_version: "{{ docker_version_result.stdout }}"
+
+# install Python packages with pip. These are all included in the same requirements file, so that
+# we can let Pip sort out any inconsistencies between required versions.
+- name: manage python requirements file
+  template: src=requirements.txt.j2 dest=/etc/docker-python.requirements.txt
+
+# note state=latest here; if you want a fixed version, specify it.
+- name: ensure python reqirements are installed
+  pip: state=latest requirements=/etc/docker-python.requirements.txt
 
 - name: install docker-rotate cron script
-  template: src=docker-rotate dest=/etc/cron.daily/ mode=755
+  template: src=docker-rotate.j2 dest=/etc/cron.daily/docker-rotate mode=755
 
 - name: push logrotate config file for docker container json logs
   template: src=logrotate.conf.j2 dest=/etc/logrotate.d/docker
+  when: "{{ installed_docker_version | version_compare('1.8', '<') }}"
+
+- name: make sure docker logrotate config is removed
+  file: state=absent dest=/etc/logrotate.d/docker
+  when: "{{ installed_docker_version | version_compare('1.8', '>=') }}"
 
 - name: install docker zombie volumes cleanup cron script
   copy: src=clear-zombie-docker-data-dirs dest=/etc/cron.daily/ mode=755
 
 - name: push docker configuration
   template: src=docker.j2 dest=/etc/default/docker
+  register: docker_config_result
   notify: restart docker
 
-- name: install docker-compose
-  pip:
-    name: docker-compose
-    state: "{{ (docker_compose_version == 'latest') | ternary('latest', 'present') }}"
-    version: "{{ (docker_compose_version == 'latest') | ternary(omit, docker_compose_version) }}"
-  when: docker_compose_version is defined
-
 # make sure docker restarts to get the newest configuration
 - meta: flush_handlers
 
+- name: gather docker facts
+  setup:
+  when: "{{ ansible_docker0 is not defined or docker_config_result | changed }}"
+
 - name: pull useful images for future use
   command: docker pull {{ item }}
-  register: docker_result
+  register: docker_pull_result
   changed_when: '"Downloaded newer image for" in docker_result.stdout'
-  with_items:
-    - busybox
-    - ubuntu-debootstrap:14.04
+  with_items: "{{ docker_images_to_pull }}"
 
+- name: login to docker registry
+  command: "docker login -u {{ item.username }} -p {{ item.password }} -e {{ item.email }} {{ item.url }}"
+  with_items: "{{ docker_registries_to_login }}"

templates/docker-rotate

@@ -0,0 +1,17 @@
+#!/bin/sh
+
+{% if docker_rotate_images_arguments | bool %}
+docker-rotate images {{ docker_rotate_images_arguments }}
+{% endif %}
+
+{% if docker_rotate_untagged_images %}
+docker-rotate untagged-images
+{% endif %}
+
+{% if docker_rotate_exited_containers != "" %}
+docker-rotate containers --exited {{ docker_rotate_exited_containers }}
+{% endif %}
+
+{% if docker_rotate_created_containers != "" %}
+docker-rotate containers --created {{ docker_rotate_created_containers }}
+{% endif %}

templates/docker-rotate.j2

@@ -1,15 +1,9 @@
 # Docker Upstart and SysVinit configuration file
 
-# Customize location of Docker binary (especially for development testing).
-#DOCKER="/usr/local/bin/docker"
-
-# Use DOCKER_OPTS to modify the daemon startup options.
-#DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4"
-{% if docker_opts is defined %}
-DOCKER_OPTS="{{ docker_opts }}"
-{% endif %}
-# If you need Docker to use an HTTP proxy, it can also be specified here.
-#export http_proxy="http://127.0.0.1:3128/"
-
-# This is also a handy place to tweak where Docker's temporary files go.
-#export TMPDIR="/mnt/bigdrive/docker-tmp"
+DOCKER_OPTS="
+   {% if docker_opts is defined %}
+      {{ docker_opts }}
+   {%- endif %}
+   {% if docker_version | version_compare('1.8', '>=') -%}
+      --log-opt max-size={{ docker_log_rotate_max_size }} --log-opt max-file={{ docker_log_rotate_count }}
+   {%- endif %}"

templates/docker.j2

@@ -1,5 +1,5 @@
 /var/lib/docker/containers/*/*-json.log {
-    {{ docker_log_rotate_interval }}
+    size {{ docker_log_rotate_max_size }}
     rotate {{ docker_log_rotate_count }}
     missingok
     compress

templates/logrotate.conf.j2

@@ -0,0 +1,5 @@
+docker-py{{ '' if docker_py_version == 'latest' else ('==' + docker_py_version) }}
+dockerrotate=={{ docker_rotate_version }}
+{% if docker_compose_version is not none and docker_compose_version != '' %}
+docker-compose{{ '' if docker_compose_version == 'latest' else ('==' + docker_compose_version) }}
+{% endif %}