sunet dockerhost stolen from eduid

2 files changed, 96 insertions, 0 deletions

diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp b/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp
new file mode 100644
index 0000000..8df416b
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp
@@ -0,0 +1,42 @@
+# Common use of docker::run
+define sunet::docker_run(
+  $image,
+  $imagetag            = hiera('sunet_docker_default_tag', 'latest'),
+  $volumes             = [],
+  $ports               = [],
+  $env                 = [],
+  $net                 = 'bridge',
+  $extra_parameters    = [],
+) {
+
+  # Make container use unbound resolver on dockerhost
+  # If docker was just installed, facter will not know the IP of docker0. Thus the pick.
+  $dns = $net ? {
+    'host'  => [],  # docker refuses --dns with --net host
+    default => [pick($::ipaddress_docker0, '172.17.42.1')],
+  }
+
+  $image_tag = "${image}:${imagetag}"
+  docker::image { $image_tag : } ->
+
+  docker::run {$name :
+    use_name           => true,
+    image              => $image_tag,
+    volumes            => flatten([$volumes,
+                           '/etc/passwd:/etc/passwd:ro',  # uid consistency
+                           '/etc/group:/etc/group:ro',    # gid consistency
+                           ]),
+    ports              => $ports,
+    env                => $env,
+    net                => $net,
+    extra_parameters   => flatten([$extra_parameters,
+                                   '--rm',
+                                   ]),
+    dns                => $dns,
+    verify_checksum    => false,    # Rely on registry security for now. eduID risk #31.
+    pre_start          => 'run-parts /usr/local/etc/docker.d',
+    post_start         => 'run-parts /usr/local/etc/docker.d',
+    pre_stop           => 'run-parts /usr/local/etc/docker.d',
+  }
+
+}
diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp b/global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp
new file mode 100644
index 0000000..9dec034
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/dockerhost.pp
@@ -0,0 +1,54 @@
+# Install docker from https://get.docker.com/ubuntu
+class sunet::dockerhost {
+  apt::source {'docker_official':
+     location           => 'https://get.docker.com/ubuntu',
+     release            => 'docker',
+     repos              => 'main',
+     key                => 'A88D21E9',
+     include_src        => false
+  }
+  package {'lxc-docker':
+     ensure             => latest,
+  }
+
+  class {'docker':
+     manage_package     => false,
+  }
+
+  package { 'unbound': ensure => 'latest' }
+
+  file { '/usr/local/etc/docker.d/20unbound':
+    ensure  => file,
+    path    => '/usr/local/etc/docker.d/20unbound',
+    mode    => '0755',
+    content => template('sunet/dockerhost/20unbound.erb'),
+  }
+
+  file { '/etc/logrotate.d/docker-containers':
+    ensure  => file,
+    path    => '/etc/logrotate.d/docker-containers',
+    mode    => '0644',
+    content => template('sunet/dockerhost/logrotate_docker-containers.erb'),
+  }
+
+  file { '/etc/unbound/unbound.conf.d/docker.conf':
+    ensure  => file,
+    path    => '/etc/unbound/unbound.conf.d/docker.conf',
+    mode    => '0644',
+    notify  => Service['unbound'],
+  }
+
+  ufw::allow { 'allow-docker-resolving_udp':
+    port  => '53',
+    ip    => $::ipaddress_docker0,    # both IPv4 and IPv6
+    from  => '172.16.0.0/12',
+    proto => 'udp',
+  }
+  ufw::allow { 'allow-docker-resolving_tcp':
+    port  => '53',
+    ip    => $::ipaddress_docker0,    # both IPv4 and IPv6
+    from  => '172.16.0.0/12',
+    proto => 'tcp',
+  }
+
+}