Update 2 files

- /roles/docker/tasks/main.yml
- /group_vars/all.yml

group_vars/all.yml

@@ -7,6 +7,18 @@ system_locale: ru_RU.UTF-8
 x11_display_host: "192.168.1.101"
 admin_user: zailon
 
+# Включить мониторинг Docker для Node Exporter
+enable_docker_monitoring: true
+
+# Безопасные версии пакетов Docker для LXC (чтобы apt upgrade не сломал)
+docker_ce_version: "5:28.2.2-1~ubuntu.{{ ansible_distribution_release }}~noble"
+docker_ce_cli_version: "5:28.2.2-1~ubuntu.{{ ansible_distribution_release }}~noble"
+containerd_io_version: "1.7.28-1~ubuntu.{{ ansible_distribution_release }}~noble"
+runc_safe_version: "1.1.12-0ubuntu3"
+
+# Включить фиксацию версий Docker в LXC
+lxc_docker_pin_enabled: true
+
 # Базовые пакеты для всех серверов
 base_packages:
   - curl

roles/docker/tasks/main.yml

@@ -1,6 +1,9 @@
 ---
+# =============================================================================
+# DOCKER
+# =============================================================================
 
-# ========== Cleanup conflicting Docker repo configs (LXC safety) ==========
+# ========== 1. Cleanup conflicting Docker configs ==========
 - name: Remove conflicting Docker repository files
   file:
     path: "{{ item }}"
@@ -18,23 +21,26 @@
     state: absent
   loop:
     - /etc/apt/keyrings/docker.gpg
+    - /etc/apt/keyrings/docker.asc
     - /usr/share/keyrings/docker-archive-keyring.gpg
     - /usr/share/keyrings/docker.gpg
   become: yes
   tags: [docker, deploy_docker]
 
-# ========== Fix runc BEFORE Docker install (LXC safety) ==========
+- name: Clean apt cache
-- name: Ensure runc at safe version before Docker install (LXC only)
   apt:
-    name: "runc=1.1.12-0ubuntu3"
+    clean: yes
-    state: present
-    allow_downgrade: yes
-    allow_change_held_packages: yes
   become: yes
   tags: [docker, deploy_docker]
-  when: ansible_virtualization_type in ['lxc', 'container']
 
-# ========== Install Docker ==========
+- name: Remove apt lists cache
+  file:
+    path: /var/lib/apt/lists
+    state: absent
+  become: yes
+  tags: [docker, deploy_docker]
+
+# ========== 2. Install Docker dependencies ==========
 - name: Install Docker dependencies
   apt:
     name:
@@ -48,6 +54,7 @@
   become: yes
   tags: [docker, deploy_docker]
 
+# ========== 3. Setup GPG key ==========
 - name: Create keyrings directory
   file:
     path: /etc/apt/keyrings
@@ -56,36 +63,61 @@
   become: yes
   tags: [docker, deploy_docker]
 
-- name: Add Docker GPG key
+- name: Download Docker GPG key
-  apt_key:
+  get_url:
     url: https://download.docker.com/linux/ubuntu/gpg
-    keyring: /etc/apt/keyrings/docker.gpg
+    dest: /etc/apt/keyrings/docker.asc
-    state: present
+    mode: '0644'
+    force: yes
   become: yes
   tags: [docker, deploy_docker]
 
-- name: Add Docker repository (without cache update)
+- name: Dearmor Docker GPG key
-  apt_repository:
+  shell: gpg --dearmor -o /etc/apt/keyrings/docker.gpg /etc/apt/keyrings/docker.asc
-    repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
+  args:
-    filename: docker
+    creates: /etc/apt/keyrings/docker.gpg
-    state: present
+  become: yes
-    update_cache: no  # ← Важно: не обновлять кэш здесь!
+  tags: [docker, deploy_docker]
+
+- name: Set permissions on Docker GPG key
+  file:
+    path: /etc/apt/keyrings/docker.gpg
+    mode: 'a+r'
+  become: yes
+  tags: [docker, deploy_docker]
+
+# ========== 4. Add Docker repository ==========
+- name: Add Docker repository
+  copy:
+    content: |
+      deb [arch={{ ansible_architecture }} signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable
+    dest: /etc/apt/sources.list.d/docker.list
+    mode: '0644'
   become: yes
   tags: [docker, deploy_docker]
 
 - name: Update apt cache after adding Docker repo
   apt:
     update_cache: yes
-    cache_valid_time: 3600
+    cache_valid_time: 0
   become: yes
   tags: [docker, deploy_docker]
 
-- name: Install Docker packages
+# ========== 5. Install Docker packages ==========
+- name: Install docker-ce and docker-ce-cli first
   apt:
     name:
-      - docker-ce
+      - "docker-ce=5:28.2.2-1~ubuntu.{{ ansible_distribution_release }}~noble"
-      - docker-ce-cli
+      - "docker-ce-cli=5:28.2.2-1~ubuntu.{{ ansible_distribution_release }}~noble"
-      - containerd.io
+    state: present
+    allow_downgrade: yes
+    allow_change_held_packages: yes
+  become: yes
+  tags: [docker, deploy_docker]
+
+- name: Install containerd.io (after docker-ce to preserve runc)
+  apt:
+    name: "containerd.io=1.7.28-1~ubuntu.{{ ansible_distribution_release }}~noble"
     state: present
     allow_downgrade: yes
     allow_change_held_packages: yes
@@ -93,13 +125,7 @@
   notify: restart docker
   tags: [docker, deploy_docker]
 
-- name: Install Docker Compose plugin
+# ========== 6. Start Docker and configure user ==========
-  apt:
-    name: docker-compose-plugin
-    state: present
-  become: yes
-  tags: [docker, deploy_docker]
-
 - name: Start and enable Docker service
   systemd:
     name: docker
@@ -109,11 +135,21 @@
   become: yes
   tags: [docker, deploy_docker]
 
-- name: Wait for Docker to start
+- name: Wait for Docker socket to be available
-  pause:
+  wait_for:
-    seconds: 5
+    path: /var/run/docker.sock
+    timeout: 30
   tags: [docker, deploy_docker]
 
+- name: Add admin user to docker group
+  user:
+    name: "{{ admin_user | default('zailon') }}"
+    groups: docker
+    append: yes
+  become: yes
+  tags: [docker, deploy_docker]
+
+# ========== 7. Verify installation ==========
 - name: Verify Docker installation
   command: docker --version
   register: docker_version
@@ -136,16 +172,20 @@
     msg: "Docker Compose version: {{ docker_compose_version.stdout }}"
   tags: [docker, deploy_docker]
 
-# ========== Docker Monitoring Setup ==========
+- name: Test Docker with docker ps
-- name: Setup Docker monitoring
+  command: docker ps
-  block:
+  register: docker_ps_test
-    - name: Create scripts directory
+  changed_when: false
-      file:
+  tags: [docker, deploy_docker]
-        path: /opt/scripts
-        state: directory
-        mode: '0755'
-      become: yes
 
+- name: Show Docker containers
+  debug:
+    msg: "Docker is working! Containers: {{ docker_ps_test.stdout_lines | default(['none']) }}"
+  tags: [docker, deploy_docker]
+
+# ========== 8. Docker monitoring (optional) ==========
+- name: Setup Docker monitoring for Node Exporter
+  block:
     - name: Deploy Docker metrics script
       copy:
         content: |
@@ -169,33 +209,6 @@
         mode: '0755'
       become: yes
 
-    - name: Create systemd service for Docker metrics
-      copy:
-        content: |
-          [Unit]
-          Description=Docker metrics script
-          After=docker.service
-          [Service]
-          User=root
-          ExecStart=/opt/scripts/docker_metrics.sh
-        dest: /etc/systemd/system/docker-metrics.service
-        mode: '0644'
-      become: yes
-
-    - name: Create systemd timer for Docker metrics
-      copy:
-        content: |
-          [Unit]
-          Description=Run Docker metrics every 30 seconds
-          [Timer]
-          OnBootSec=1min
-          OnUnitActiveSec=30s
-          [Install]
-          WantedBy=timers.target
-        dest: /etc/systemd/system/docker-metrics.timer
-        mode: '0644'
-      become: yes
-
     - name: Ensure Node Exporter textfile directory exists
       file:
         path: /var/lib/node_exporter/textfile_collector
@@ -205,20 +218,12 @@
         mode: '0755'
       become: yes
 
-    - name: Enable and start Docker metrics timer
+    - name: Enable Docker metrics timer
       systemd:
         name: docker-metrics.timer
         enabled: yes
         state: started
         daemon_reload: yes
       become: yes
-
+  when: enable_docker_monitoring | default(true)
-    - name: Test Docker metrics script
+  tags: [docker, monitoring]
-      command: /opt/scripts/docker_metrics.sh
-      register: metrics_test
-      changed_when: false
-
-    - name: Show Docker metrics test result
-      debug:
-        var: metrics_test.stdout
-  tags: [docker, deploy_docker, monitoring]