Puppet Class: docker

Defined in:
manifests/init.pp

Summary

Configure Docker containers

Overview

Parameters:

  • containers (Hash[String, Hash]) (defaults to: {})

    to launch

  • data_root (String) (defaults to: '/var/lib/docker')

    for storing docker images / volumes

  • bridge_subnet (String) (defaults to: '172.17.0.0/16')

    sets the subnet used for the custom bridge

  • bridge_name (String) (defaults to: 'docker1')

    sets the name of the custom bridge

[View source]

7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
 
# File 'manifests/init.pp', line 7

class docker (
  Hash[String, Hash] $containers = {},
  String $data_root = '/var/lib/docker',
  String $bridge_subnet = '172.17.0.0/16',
  String $bridge_name = 'docker1',
) {
  package { 'docker': }

  -> file { [$data_root, '/etc/docker']:
    ensure => directory,
    owner  => root,
    group  => root,
  }

  -> file { '/etc/docker/daemon.json':
    ensure  => file,
    content => template('docker/daemon.json.erb'),
  }

  -> service { 'docker':
    ensure => running,
    enable => true,
  }

  file { '/etc/systemd/system/container@.service':
    ensure => file,
    source => 'puppet:///modules/docker/container@.service',
  }

  file { '/etc/container':
    ensure => directory,
  }

  firewallchain { 'DOCKER_EXPOSE:nat:IPv4':
    ensure  => present,
  }

  firewall { '100 handle incoming traffic for containers':
    chain    => 'PREROUTING',
    jump     => 'DOCKER_EXPOSE',
    dst_type => 'LOCAL',
    table    => 'nat',
  }

  firewall { '100 handle uturn traffic for containers':
    chain       => 'OUTPUT',
    jump        => 'DOCKER_EXPOSE',
    destination => '! 127.0.0.0/8',
    dst_type    => 'LOCAL',
    table       => 'nat',
  }

  firewall { '100 masquerade for docker containers':
    chain    => 'POSTROUTING',
    jump     => 'MASQUERADE',
    proto    => 'all',
    outiface => "! ${bridge_name}",
    source   => $bridge_subnet,
    table    => 'nat',
  }

  firewall { '100 forward from docker containers':
    chain    => 'FORWARD',
    action   => 'accept',
    proto    => 'all',
    outiface => "! ${bridge_name}",
    iniface  => $bridge_name,
  }

  firewall { '100 forward to docker containers':
    chain    => 'FORWARD',
    action   => 'accept',
    proto    => 'all',
    outiface => $bridge_name,
    iniface  => "! ${bridge_name}",
  }

  firewall { '100 masquerade for default docker containers':
    chain    => 'POSTROUTING',
    jump     => 'MASQUERADE',
    proto    => 'all',
    outiface => '! docker0',
    source   => '172.31.255.0/24',
    table    => 'nat',
  }

  firewall { '100 forward from default docker containers':
    chain    => 'FORWARD',
    action   => 'accept',
    proto    => 'all',
    outiface => '! docker0',
    iniface  => 'docker0',
  }

  firewall { '100 forward to default docker containers':
    chain    => 'FORWARD',
    action   => 'accept',
    proto    => 'all',
    outiface => 'docker0',
    iniface  => '! docker0',
  }

  exec { 'create docker network':
    command   => "/usr/bin/docker network create --subnet ${bridge_subnet} -o com.docker.network.bridge.name=${bridge_name} ${bridge_name}",
    unless    => "/usr/bin/docker network inspect ${bridge_name}",
    subscribe => Service['docker'],
  }

  $docker::containers.each | String $name, Hash $options | {
    docker::container { $name:
      *       => $options,
      require => Exec['create docker network'],
    }
  }
}