From efb5db58f15a33a8bc1527d6fbad66c28e344bc8 Mon Sep 17 00:00:00 2001 From: Alexey Sedlyarsky Date: Mon, 8 Jul 2024 21:45:27 +0200 Subject: [PATCH] Added new distros and insecure mode (#173) * Added 'docker_allow_unauthenticated' and 'docker_disable_gpg_check' setting * Added support for 'Amazon' and 'OracleLinux' distributions --- defaults/main.yml | 3 +++ tasks/bug-tweaks/lvm-thinpool.yml | 2 ++ tasks/checks/distribution-checks.yml | 3 +++ tasks/configure-docker.yml | 4 ++++ tasks/install-docker.yml | 11 +++++++++++ tasks/main.yml | 17 +++++++++++++++-- tasks/postinstall.yml | 4 ++++ tasks/remove-docker.yml | 3 +++ tasks/remove-pre-docker-ce.yml | 2 ++ tasks/setup-audit.yml | 2 ++ tasks/setup-repository-Debian.yml | 3 +++ tasks/setup-repository-RedHat.yml | 2 ++ tasks/setup-repository.yml | 1 + tests/experimental/kata/test_katacontainers.yml | 1 + tests/host_upgrade.yml | 2 ++ tests/manual/test_remove_pre_ce.yml | 2 ++ tests/prepare.yml | 2 ++ tests/prepare_storage.yml | 4 ++++ 18 files changed, 66 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0e05d31..4d3a029 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -183,3 +183,6 @@ docker_remove_all: false # Additional files or directories to be remove if for example non-standard locations # was previously configured for data storage etc. docker_remove_additional: [] +# It bypasses GPG keys checking for package manager +docker_allow_unauthenticated: no +docker_disable_gpg_check: no diff --git a/tasks/bug-tweaks/lvm-thinpool.yml b/tasks/bug-tweaks/lvm-thinpool.yml index a40a2cb..6189c21 100644 --- a/tasks/bug-tweaks/lvm-thinpool.yml +++ b/tasks/bug-tweaks/lvm-thinpool.yml @@ -3,6 +3,8 @@ ansible.builtin.package: name: lvm2 state: present + allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}" + disable_gpg_check: "{{ docker_disable_gpg_check if ansible_pkg_mgr in ['yum', 'dnf', 'zypper'] else omit }}" register: _pkg_result until: _pkg_result is succeeded diff --git a/tasks/checks/distribution-checks.yml b/tasks/checks/distribution-checks.yml index c6ae5f4..b9a91d6 100644 --- a/tasks/checks/distribution-checks.yml +++ b/tasks/checks/distribution-checks.yml @@ -5,6 +5,9 @@ msg: "Distribution {{ _docker_os_dist }} is not supported by this role!" vars: _supported_distributions: + - Amazon + - OracleLinux + - CloudLinux - AlmaLinux - CentOS - Debian diff --git a/tasks/configure-docker.yml b/tasks/configure-docker.yml index bc3a40e..db54ebe 100644 --- a/tasks/configure-docker.yml +++ b/tasks/configure-docker.yml @@ -86,6 +86,8 @@ ansible.builtin.package: name: lvm2 state: present + allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}" + disable_gpg_check: "{{ docker_disable_gpg_check if ansible_pkg_mgr in ['yum', 'dnf', 'zypper'] else omit }}" register: _pkg_result until: _pkg_result is succeeded @@ -95,6 +97,8 @@ ansible.builtin.package: name: thin-provisioning-tools state: present + allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}" + disable_gpg_check: "{{ docker_disable_gpg_check if ansible_pkg_mgr in ['yum', 'dnf', 'zypper'] else omit }}" register: _pkg_result until: _pkg_result is succeeded diff --git a/tasks/install-docker.yml b/tasks/install-docker.yml index 8d3b376..c11d1a5 100644 --- a/tasks/install-docker.yml +++ b/tasks/install-docker.yml @@ -28,6 +28,14 @@ _docker_packages: - docker-ce +- name: Ensure some kind of compatibility for no longer officially supported distributions since Docker CE 18.09 + when: + - _docker_packages is not defined + - (_docker_os_dist == "Amazon" and _docker_os_dist_major_version | int >= 2023) + ansible.builtin.set_fact: + _docker_packages: + - docker + - name: Do workaround to handle CentOS/RHEL 8 installation issues when: - _docker_packages is not defined @@ -45,6 +53,9 @@ ansible.builtin.package: name: "{{ (item is search('docker-ce')) | ternary((item + _docker_version_string | default('')), item) }}" state: "{{ _docker_pkg_state | default('present') }}" + allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}" + disable_gpg_check: "{{ docker_disable_gpg_check if ansible_pkg_mgr in ['yum', 'dnf', 'zypper'] else omit }}" + loop: "{{ _docker_packages | default(docker_packages) }}" register: _docker_pkg_result retries: 6 diff --git a/tasks/main.yml b/tasks/main.yml index 7183ed6..6d30058 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -33,6 +33,12 @@ _docker_os_dist_file_varity: "RedHat" tags: ["install", "configure", "postinstall", "docker_install", "docker_configure", "docker_postinstall"] +- name: Reinterpret distribution facts for Amazon Linux + when: _docker_os_dist == "Amazon" + ansible.builtin.set_fact: + _docker_os_dist_file_varity: "RedHat" + tags: ["install", "configure", "postinstall", "docker_install", "docker_configure", "docker_postinstall"] + - name: Reinterpret distribution facts for Debian 10 (Buster) due to bug when: - _docker_os_dist == "Debian" @@ -44,7 +50,14 @@ _docker_os_dist_major_version: 10 tags: ["install", "configure", "postinstall", "docker_install", "docker_configure", "docker_postinstall"] +- name: Check if /etc/os-release exists + stat: + path: /etc/os-release + register: _os_release + tags: ["install", "configure", "postinstall", "docker_install", "docker_configure", "docker_postinstall"] + - name: OS release info + when: _os_release.stat.exists ansible.builtin.raw: cat /etc/os-release check_mode: no changed_when: no @@ -52,6 +65,7 @@ tags: ["install", "configure", "postinstall", "docker_install", "docker_configure", "docker_postinstall"] - name: Print OS release information + when: _os_release.stat.exists ansible.builtin.debug: var: _docker_os_release_info verbosity: 1 @@ -66,8 +80,7 @@ tags: ["install", "configure", "postinstall", "docker_install", "docker_configure", "docker_postinstall"] - name: Reinterpret distribution facts for Raspbian - when: - - _docker_os_release_info.stdout is search('raspbian') + when: _os_release.stat.exists and _docker_os_release_info.stdout is search('raspbian') ansible.builtin.set_fact: _docker_os_arch: "armhf" tags: ["install", "configure", "postinstall", "docker_install", "docker_configure", "docker_postinstall"] diff --git a/tasks/postinstall.yml b/tasks/postinstall.yml index 619d418..fea4c38 100644 --- a/tasks/postinstall.yml +++ b/tasks/postinstall.yml @@ -90,6 +90,8 @@ ansible.builtin.package: name: "epel-release" state: present + allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}" + disable_gpg_check: "{{ docker_disable_gpg_check if ansible_pkg_mgr in ['yum', 'dnf', 'zypper'] else omit }}" register: _pkg_result until: _pkg_result is succeeded @@ -99,6 +101,8 @@ ansible.builtin.package: name: "{{ item }}" state: present + allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}" + disable_gpg_check: "{{ docker_disable_gpg_check if ansible_pkg_mgr in ['yum', 'dnf', 'zypper'] else omit }}" loop: "{{ _docker_additional_packages_os }}" register: _pkg_result until: _pkg_result is succeeded diff --git a/tasks/remove-docker.yml b/tasks/remove-docker.yml index 5c0931f..624ca3c 100644 --- a/tasks/remove-docker.yml +++ b/tasks/remove-docker.yml @@ -15,6 +15,8 @@ ansible.builtin.package: name: "{{ item }}" state: absent + allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}" + disable_gpg_check: "{{ docker_disable_gpg_check if ansible_pkg_mgr in ['yum', 'dnf', 'zypper'] else omit }}" loop: "{{ docker_packages }}" register: _pkg_result until: _pkg_result is succeeded @@ -27,6 +29,7 @@ name: "{{ item }}" state: absent purge: yes + allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}" loop: "{{ docker_packages }}" register: _pkg_result until: _pkg_result is succeeded diff --git a/tasks/remove-pre-docker-ce.yml b/tasks/remove-pre-docker-ce.yml index 21eee16..448dd41 100644 --- a/tasks/remove-pre-docker-ce.yml +++ b/tasks/remove-pre-docker-ce.yml @@ -40,6 +40,8 @@ ansible.builtin.package: name: "{{ item }}" state: absent + allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}" + disable_gpg_check: "{{ docker_disable_gpg_check if ansible_pkg_mgr in ['yum', 'dnf', 'zypper'] else omit }}" register: _pkg_result until: _pkg_result is succeeded loop: "{{ docker_old_packages[_docker_os_dist] | default(docker_old_packages[_docker_os_dist_file_varity]) }}" diff --git a/tasks/setup-audit.yml b/tasks/setup-audit.yml index a23cdbb..76526f8 100644 --- a/tasks/setup-audit.yml +++ b/tasks/setup-audit.yml @@ -8,6 +8,8 @@ ansible.builtin.package: name: auditd state: present + allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}" + disable_gpg_check: "{{ docker_disable_gpg_check if ansible_pkg_mgr in ['yum', 'dnf', 'zypper'] else omit }}" register: _pkg_result until: _pkg_result is succeeded diff --git a/tasks/setup-repository-Debian.yml b/tasks/setup-repository-Debian.yml index d924969..bb58aed 100644 --- a/tasks/setup-repository-Debian.yml +++ b/tasks/setup-repository-Debian.yml @@ -7,6 +7,7 @@ become: true ansible.builtin.apt: update_cache: yes + allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}" changed_when: false register: _pkg_result until: _pkg_result is succeeded @@ -27,6 +28,8 @@ ansible.builtin.package: name: "{{ item }}" state: present + allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}" + disable_gpg_check: "{{ docker_disable_gpg_check if ansible_pkg_mgr in ['yum', 'dnf', 'zypper'] else omit }}" loop: "{{ docker_repository_related_packages[_docker_os_dist_file_varity] }}" register: _pkg_result until: _pkg_result is succeeded diff --git a/tasks/setup-repository-RedHat.yml b/tasks/setup-repository-RedHat.yml index 5821f4c..18c4a9d 100644 --- a/tasks/setup-repository-RedHat.yml +++ b/tasks/setup-repository-RedHat.yml @@ -16,6 +16,8 @@ ansible.builtin.package: name: "{{ item }}" state: present + allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}" + disable_gpg_check: "{{ docker_disable_gpg_check if ansible_pkg_mgr in ['yum', 'dnf', 'zypper'] else omit }}" loop: "{{ docker_repository_related_packages[_docker_os_dist_file_varity] }}" register: _pkg_result until: _pkg_result is succeeded diff --git a/tasks/setup-repository.yml b/tasks/setup-repository.yml index 6128236..db3ae0c 100644 --- a/tasks/setup-repository.yml +++ b/tasks/setup-repository.yml @@ -1,5 +1,6 @@ --- - name: Include setup repository tasks for distribution variety {{ _docker_os_dist_file_varity }} + when: (_docker_os_dist == "Amazon" and _docker_os_dist_major_version | int < 2023) or _docker_os_dist != "Amazon" ansible.builtin.include_tasks: setup-repository-{{ _docker_os_dist_file_varity }}.yml - name: Update repository cache diff --git a/tests/experimental/kata/test_katacontainers.yml b/tests/experimental/kata/test_katacontainers.yml index 8a66a9f..76ddac4 100644 --- a/tests/experimental/kata/test_katacontainers.yml +++ b/tests/experimental/kata/test_katacontainers.yml @@ -15,6 +15,7 @@ yum: name: "{{ item }}" update_cache: yes + disable_gpg_check: "{{ disable_gpg_check if ansible_pkg_mgr in ['yum', 'dnf', 'zypper'] else omit }}" loop: - kata-runtime - kata-proxy diff --git a/tests/host_upgrade.yml b/tests/host_upgrade.yml index 15dae8a..9da971d 100644 --- a/tests/host_upgrade.yml +++ b/tests/host_upgrade.yml @@ -6,5 +6,7 @@ package: name: "*" state: latest + allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}" + disable_gpg_check: "{{ docker_disable_gpg_check if ansible_pkg_mgr in ['yum', 'dnf', 'zypper'] else omit }}" register: _upgrade_all when: ansible_distribution == "RedHat" diff --git a/tests/manual/test_remove_pre_ce.yml b/tests/manual/test_remove_pre_ce.yml index 5ec975b..8aa96fa 100644 --- a/tests/manual/test_remove_pre_ce.yml +++ b/tests/manual/test_remove_pre_ce.yml @@ -18,6 +18,8 @@ package: name: docker-latest state: present + allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}" + disable_gpg_check: "{{ docker_disable_gpg_check if ansible_pkg_mgr in ['yum', 'dnf', 'zypper'] else omit }}" register: _pkg_result until: _pkg_result is succeeded diff --git a/tests/prepare.yml b/tests/prepare.yml index 1f19b79..454b041 100644 --- a/tests/prepare.yml +++ b/tests/prepare.yml @@ -36,6 +36,8 @@ package: name: git state: present + allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}" + disable_gpg_check: "{{ docker_disable_gpg_check if ansible_pkg_mgr in ['yum', 'dnf', 'zypper'] else omit }}" when: docker_bench_security is defined - name: Ensure Docker Bench Security is cloned diff --git a/tests/prepare_storage.yml b/tests/prepare_storage.yml index 29ecc77..b72f62c 100644 --- a/tests/prepare_storage.yml +++ b/tests/prepare_storage.yml @@ -11,6 +11,8 @@ package: name: "{{ item }}" state: present + allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}" + disable_gpg_check: "{{ docker_disable_gpg_check if ansible_pkg_mgr in ['yum', 'dnf', 'zypper'] else omit }}" become: true loop: - parted @@ -19,6 +21,8 @@ package: name: e4fsprogs state: present + allow_unauthenticated: "{{ docker_allow_unauthenticated if ansible_pkg_mgr == 'apt' else omit }}" + disable_gpg_check: "{{ docker_disable_gpg_check if ansible_pkg_mgr in ['yum', 'dnf', 'zypper'] else omit }}" become: true when: ansible_distribution == "CentOS"