okd/roles/container_runtime/tasks/package_docker.yml

---
- import_tasks: common/pre.yml

# In some cases, some services may be run as containers and docker may still
# be installed via rpm.
- import_tasks: common/atomic_proxy.yml
  when:
  - >
    (openshift_use_system_containers | default(False)) | bool
    or (openshift_use_etcd_system_container | default(False)) | bool
    or (openshift_use_node_system_container | default(False)) | bool
    or (openshift_use_master_system_container | default(False)) | bool

- name: Get current installed Docker version
  command: "{{ repoquery_installed }} --qf '%{version}' docker"
  when: not openshift_is_atomic | bool
  register: curr_docker_version
  retries: 4
  until: curr_docker_version is succeeded
  changed_when: false

# Some basic checks to ensure the role will complete
- import_tasks: docker_sanity.yml

# Make sure Docker is installed, but does not update a running version.
# Docker upgrades are handled by a separate playbook.
# Note: The curr_docker_version.stdout check can be removed when https://github.com/ansible/ansible/issues/33187 gets fixed.
- name: Install Docker
  package:
    name: "docker{{ '-' + docker_version if docker_version is defined else '' }}"
    state: present
  when:
  - not (openshift_is_atomic | bool)
  - not (curr_docker_version is skipped)
  - not (curr_docker_version.stdout != '')
  register: result
  until: result is succeeded

- block:
  # Extend the default Docker service unit file when using iptables-services
  - name: Ensure docker.service.d directory exists
    file:
      path: "{{ docker_systemd_dir }}"
      state: directory

  - name: Configure Docker service unit file
    template:
      dest: "{{ docker_systemd_dir }}/custom.conf"
      src: custom.conf.j2
    notify:
    - restart container runtime
  when: not (os_firewall_use_firewalld | default(False)) | bool

- stat: path=/etc/sysconfig/docker
  register: docker_check

- name: Set registry params
  lineinfile:
    dest: /etc/sysconfig/docker
    regexp: '^{{ item.reg_conf_var }}=.*$'
    line: "{{ item.reg_conf_var }}='{{ item.reg_fact_val | lib_utils_oo_prepend_strings_in_list(item.reg_flag ~ ' ') | join(' ') }}'"
  when:
  - item.reg_fact_val != []
  - docker_check.stat.isreg is defined
  - docker_check.stat.isreg
  with_items:
  - reg_conf_var: ADD_REGISTRY
    reg_fact_val: "{{ l2_docker_additional_registries }}"
    reg_flag: --add-registry
  - reg_conf_var: BLOCK_REGISTRY
    reg_fact_val: "{{ l2_docker_blocked_registries }}"
    reg_flag: --block-registry
  - reg_conf_var: INSECURE_REGISTRY
    reg_fact_val: "{{ l2_docker_insecure_registries }}"
    reg_flag: --insecure-registry
  notify:
  - restart container runtime

- name: Place additional/blocked/insecure registries in /etc/containers/registries.conf
  template:
    dest: "{{ containers_registries_conf_path }}"
    src: registries.conf
  when: openshift_docker_use_etc_containers | bool
  notify:
  - restart container runtime

- name: Set Proxy Settings
  lineinfile:
    dest: /etc/sysconfig/docker
    regexp: '^{{ item.reg_conf_var }}=.*$'
    line: "{{ item.reg_conf_var }}='{{ item.reg_fact_val }}'"
    state: "{{ 'present' if item.reg_fact_val != '' else 'absent'}}"
  with_items:
  - reg_conf_var: HTTP_PROXY
    reg_fact_val: "{{ docker_http_proxy }}"
  - reg_conf_var: HTTPS_PROXY
    reg_fact_val: "{{ docker_https_proxy }}"
  - reg_conf_var: NO_PROXY
    reg_fact_val: "{{ docker_no_proxy }}"
  notify:
  - restart container runtime
  when:
  - docker_check.stat.isreg is defined
  - docker_check.stat.isreg
  - docker_http_proxy != '' or docker_https_proxy != ''

- name: Set various Docker options
  lineinfile:
    dest: /etc/sysconfig/docker
    regexp: '^OPTIONS=.*$'
    line: "OPTIONS='\
      {% if ansible_selinux.status | default(None) == 'enabled' and openshift_docker_selinux_enabled | default(true) | bool %} --selinux-enabled {% endif %} \
      {% if openshift_docker_log_driver %} --log-driver {{ openshift_docker_log_driver }}{% endif %} \
      {% if l2_docker_log_options != [] %} {{ l2_docker_log_options |  lib_utils_oo_split() | lib_utils_oo_prepend_strings_in_list('--log-opt ') | join(' ')}}{% endif %} \
      {% if (openshift_docker_hosted_registry_insecure | bool) and openshift_docker_hosted_registry_network %} --insecure-registry={{ openshift_docker_hosted_registry_network }} {% endif %} \
      {% if docker_options is defined %} {{ docker_options }}{% endif %} \
      {% if openshift_docker_options %} {{ openshift_docker_options }}{% endif %} \
      {% if openshift_docker_disable_push_dockerhub | bool %} --confirm-def-push={{ openshift_docker_disable_push_dockerhub | bool }}{% endif %} \
      --signature-verification={{ openshift_docker_signature_verification | bool }}'"
  when: docker_check.stat.isreg is defined and docker_check.stat.isreg
  notify:
  - restart container runtime

- stat: path=/etc/sysconfig/docker-network
  register: sysconfig_docker_network_check

- name: Configure Docker Network OPTIONS
  lineinfile:
    dest: /etc/sysconfig/docker-network
    regexp: '^DOCKER_NETWORK_OPTIONS=.*$'
    line: "DOCKER_NETWORK_OPTIONS='\
      {% if openshift.node is defined and openshift.node.sdn_mtu is defined %} --mtu={{ openshift.node.sdn_mtu }}{% endif %}'"
  when:
  - sysconfig_docker_network_check.stat.isreg is defined
  - sysconfig_docker_network_check.stat.isreg
  notify:
  - restart container runtime

# The following task is needed as the systemd module may report a change in
# state even though docker is already running.
- name: Detect if docker is already started
  command: "systemctl show docker -p ActiveState"
  changed_when: False
  register: r_docker_already_running_result

- name: Start the Docker service
  systemd:
    name: docker
    enabled: yes
    state: started
    daemon_reload: yes
  register: r_docker_package_docker_start_result
  until: not (r_docker_package_docker_start_result is failed)
  retries: 3
  delay: 30

- set_fact:
    docker_service_status_changed: "{{ (r_docker_package_docker_start_result is changed) and (r_docker_already_running_result.stdout != 'ActiveState=active' ) }}"

- import_tasks: common/post.yml