Puppet Class: docker

Defined in:
manifests/init.pp

Summary

Configure Docker containers

Overview

Parameters:

  • containers (Hash[String, Hash]) (defaults to: {})

    to launch

  • data_root (String) (defaults to: '/var/lib/docker')

    for storing docker images / volumes

  • bridge_subnet (String) (defaults to: '172.17.0.0/16')

    sets the subnet used for the custom bridge

  • bridge_name (String) (defaults to: 'docker1')

    sets the name of the custom bridge



7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
 
# File 'manifests/init.pp', line 7

class docker (
  Hash[String, Hash] $containers = {},
  String $data_root = '/var/lib/docker',
  String $bridge_subnet = '172.17.0.0/16',
  String $bridge_name = 'docker1',
) {
  package { 'docker': }

  -> file { [$data_root, '/etc/docker']:
    ensure => directory,
    owner  => root,
    group  => root,
  }

  -> file { '/etc/docker/daemon.json':
    ensure  => file,
    content => template('docker/daemon.json.erb'),
  }

  -> service { 'docker':
    ensure => running,
    enable => true,
  }

  file { '/etc/systemd/system/container@.service':
    ensure => file,
    source => 'puppet:///modules/docker/container@.service',
  }

  file { '/etc/container':
    ensure => directory,
  }

  firewallchain { 'DOCKER_EXPOSE:nat:IPv4':
    ensure  => present,
  }

  firewall { '100 handle incoming traffic for containers':
    chain    => 'PREROUTING',
    jump     => 'DOCKER_EXPOSE',
    dst_type => 'LOCAL',
    table    => 'nat',
  }

  firewall { '100 handle uturn traffic for containers':
    chain    => 'OUTPUT',
    jump     => 'DOCKER_EXPOSE',
    dst_type => 'LOCAL',
    table    => 'nat',
  }

  firewall { '100 masquerade for docker containers':
    chain    => 'POSTROUTING',
    jump     => 'MASQUERADE',
    proto    => 'all',
    outiface => "! ${bridge_name}",
    source   => $bridge_subnet,
    table    => 'nat',
  }

  firewall { '100 masquerade for localhost uturn':
    chain    => 'POSTROUTING',
    jump     => 'MASQUERADE',
    src_type => 'LOCAL',
    dst_type => 'UNICAST',
    outiface => $bridge_name,
    table    => 'nat',
  }

  firewall { '100 forward from docker containers':
    chain    => 'FORWARD',
    action   => 'accept',
    proto    => 'all',
    outiface => "! ${bridge_name}",
    iniface  => $bridge_name,
  }

  firewall { '100 forward to docker containers':
    chain    => 'FORWARD',
    action   => 'accept',
    proto    => 'all',
    outiface => $bridge_name,
    iniface  => "! ${bridge_name}",
  }

  exec { 'create docker network':
    command   => "/usr/bin/docker network create --subnet ${bridge_subnet} -o com.docker.network.bridge.name=${bridge_name} ${bridge_name}",
    unless    => "/usr/bin/docker network inspect ${bridge_name}",
    subscribe => Service['docker'],
  }

  $docker::containers.each | String $name, Hash $options | {
    docker::container { $name:
      *       => $options,
      require => Exec['create docker network'],
    }
  }
}