diff --git a/group_vars/all.yml b/group_vars/all.yml index 6177f58..cc3faa3 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -7,6 +7,18 @@ system_locale: ru_RU.UTF-8 x11_display_host: "192.168.1.101" admin_user: zailon +# Включить мониторинг Docker для Node Exporter +enable_docker_monitoring: true + +# Безопасные версии пакетов Docker для LXC (чтобы apt upgrade не сломал) +docker_ce_version: "5:28.2.2-1~ubuntu.{{ ansible_distribution_release }}~noble" +docker_ce_cli_version: "5:28.2.2-1~ubuntu.{{ ansible_distribution_release }}~noble" +containerd_io_version: "1.7.28-1~ubuntu.{{ ansible_distribution_release }}~noble" +runc_safe_version: "1.1.12-0ubuntu3" + +# Включить фиксацию версий Docker в LXC +lxc_docker_pin_enabled: true + # Базовые пакеты для всех серверов base_packages: - curl diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index e2d9963..cd4b2fa 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -1,6 +1,9 @@ --- +# ============================================================================= +# DOCKER +# ============================================================================= -# ========== Cleanup conflicting Docker repo configs (LXC safety) ========== +# ========== 1. Cleanup conflicting Docker configs ========== - name: Remove conflicting Docker repository files file: path: "{{ item }}" @@ -18,23 +21,26 @@ state: absent loop: - /etc/apt/keyrings/docker.gpg + - /etc/apt/keyrings/docker.asc - /usr/share/keyrings/docker-archive-keyring.gpg - /usr/share/keyrings/docker.gpg become: yes tags: [docker, deploy_docker] -# ========== Fix runc BEFORE Docker install (LXC safety) ========== -- name: Ensure runc at safe version before Docker install (LXC only) +- name: Clean apt cache apt: - name: "runc=1.1.12-0ubuntu3" - state: present - allow_downgrade: yes - allow_change_held_packages: yes + clean: yes become: yes tags: [docker, deploy_docker] - when: ansible_virtualization_type in ['lxc', 'container'] -# ========== Install Docker ========== +- name: Remove apt lists cache + file: + path: /var/lib/apt/lists + state: absent + become: yes + tags: [docker, deploy_docker] + +# ========== 2. Install Docker dependencies ========== - name: Install Docker dependencies apt: name: @@ -48,6 +54,7 @@ become: yes tags: [docker, deploy_docker] +# ========== 3. Setup GPG key ========== - name: Create keyrings directory file: path: /etc/apt/keyrings @@ -56,36 +63,61 @@ become: yes tags: [docker, deploy_docker] -- name: Add Docker GPG key - apt_key: +- name: Download Docker GPG key + get_url: url: https://download.docker.com/linux/ubuntu/gpg - keyring: /etc/apt/keyrings/docker.gpg - state: present + dest: /etc/apt/keyrings/docker.asc + mode: '0644' + force: yes become: yes tags: [docker, deploy_docker] -- name: Add Docker repository (without cache update) - apt_repository: - repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable" - filename: docker - state: present - update_cache: no # ← Важно: не обновлять кэш здесь! +- name: Dearmor Docker GPG key + shell: gpg --dearmor -o /etc/apt/keyrings/docker.gpg /etc/apt/keyrings/docker.asc + args: + creates: /etc/apt/keyrings/docker.gpg + become: yes + tags: [docker, deploy_docker] + +- name: Set permissions on Docker GPG key + file: + path: /etc/apt/keyrings/docker.gpg + mode: 'a+r' + become: yes + tags: [docker, deploy_docker] + +# ========== 4. Add Docker repository ========== +- name: Add Docker repository + copy: + content: | + deb [arch={{ ansible_architecture }} signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable + dest: /etc/apt/sources.list.d/docker.list + mode: '0644' become: yes tags: [docker, deploy_docker] - name: Update apt cache after adding Docker repo apt: update_cache: yes - cache_valid_time: 3600 + cache_valid_time: 0 become: yes tags: [docker, deploy_docker] -- name: Install Docker packages +# ========== 5. Install Docker packages ========== +- name: Install docker-ce and docker-ce-cli first apt: name: - - docker-ce - - docker-ce-cli - - containerd.io + - "docker-ce=5:28.2.2-1~ubuntu.{{ ansible_distribution_release }}~noble" + - "docker-ce-cli=5:28.2.2-1~ubuntu.{{ ansible_distribution_release }}~noble" + state: present + allow_downgrade: yes + allow_change_held_packages: yes + become: yes + tags: [docker, deploy_docker] + +- name: Install containerd.io (after docker-ce to preserve runc) + apt: + name: "containerd.io=1.7.28-1~ubuntu.{{ ansible_distribution_release }}~noble" state: present allow_downgrade: yes allow_change_held_packages: yes @@ -93,13 +125,7 @@ notify: restart docker tags: [docker, deploy_docker] -- name: Install Docker Compose plugin - apt: - name: docker-compose-plugin - state: present - become: yes - tags: [docker, deploy_docker] - +# ========== 6. Start Docker and configure user ========== - name: Start and enable Docker service systemd: name: docker @@ -109,11 +135,21 @@ become: yes tags: [docker, deploy_docker] -- name: Wait for Docker to start - pause: - seconds: 5 +- name: Wait for Docker socket to be available + wait_for: + path: /var/run/docker.sock + timeout: 30 tags: [docker, deploy_docker] +- name: Add admin user to docker group + user: + name: "{{ admin_user | default('zailon') }}" + groups: docker + append: yes + become: yes + tags: [docker, deploy_docker] + +# ========== 7. Verify installation ========== - name: Verify Docker installation command: docker --version register: docker_version @@ -136,16 +172,20 @@ msg: "Docker Compose version: {{ docker_compose_version.stdout }}" tags: [docker, deploy_docker] -# ========== Docker Monitoring Setup ========== -- name: Setup Docker monitoring - block: - - name: Create scripts directory - file: - path: /opt/scripts - state: directory - mode: '0755' - become: yes +- name: Test Docker with docker ps + command: docker ps + register: docker_ps_test + changed_when: false + tags: [docker, deploy_docker] +- name: Show Docker containers + debug: + msg: "Docker is working! Containers: {{ docker_ps_test.stdout_lines | default(['none']) }}" + tags: [docker, deploy_docker] + +# ========== 8. Docker monitoring (optional) ========== +- name: Setup Docker monitoring for Node Exporter + block: - name: Deploy Docker metrics script copy: content: | @@ -169,33 +209,6 @@ mode: '0755' become: yes - - name: Create systemd service for Docker metrics - copy: - content: | - [Unit] - Description=Docker metrics script - After=docker.service - [Service] - User=root - ExecStart=/opt/scripts/docker_metrics.sh - dest: /etc/systemd/system/docker-metrics.service - mode: '0644' - become: yes - - - name: Create systemd timer for Docker metrics - copy: - content: | - [Unit] - Description=Run Docker metrics every 30 seconds - [Timer] - OnBootSec=1min - OnUnitActiveSec=30s - [Install] - WantedBy=timers.target - dest: /etc/systemd/system/docker-metrics.timer - mode: '0644' - become: yes - - name: Ensure Node Exporter textfile directory exists file: path: /var/lib/node_exporter/textfile_collector @@ -205,20 +218,12 @@ mode: '0755' become: yes - - name: Enable and start Docker metrics timer + - name: Enable Docker metrics timer systemd: name: docker-metrics.timer enabled: yes state: started daemon_reload: yes become: yes - - - name: Test Docker metrics script - command: /opt/scripts/docker_metrics.sh - register: metrics_test - changed_when: false - - - name: Show Docker metrics test result - debug: - var: metrics_test.stdout - tags: [docker, deploy_docker, monitoring] \ No newline at end of file + when: enable_docker_monitoring | default(true) + tags: [docker, monitoring] \ No newline at end of file