From 1709cf98ed0c2283c9f81f1f76302f7a539a62c3 Mon Sep 17 00:00:00 2001 From: Leif Johansson Date: Sun, 22 Mar 2015 17:11:23 +0100 Subject: trust anchors --- .../puppet/modules/sunet/manifests/docker_run.pp | 42 ++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp (limited to 'global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp') diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp b/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp new file mode 100644 index 0000000..8df416b --- /dev/null +++ b/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp @@ -0,0 +1,42 @@ +# Common use of docker::run +define sunet::docker_run( + $image, + $imagetag = hiera('sunet_docker_default_tag', 'latest'), + $volumes = [], + $ports = [], + $env = [], + $net = 'bridge', + $extra_parameters = [], +) { + + # Make container use unbound resolver on dockerhost + # If docker was just installed, facter will not know the IP of docker0. Thus the pick. + $dns = $net ? { + 'host' => [], # docker refuses --dns with --net host + default => [pick($::ipaddress_docker0, '172.17.42.1')], + } + + $image_tag = "${image}:${imagetag}" + docker::image { $image_tag : } -> + + docker::run {$name : + use_name => true, + image => $image_tag, + volumes => flatten([$volumes, + '/etc/passwd:/etc/passwd:ro', # uid consistency + '/etc/group:/etc/group:ro', # gid consistency + ]), + ports => $ports, + env => $env, + net => $net, + extra_parameters => flatten([$extra_parameters, + '--rm', + ]), + dns => $dns, + verify_checksum => false, # Rely on registry security for now. eduID risk #31. + pre_start => 'run-parts /usr/local/etc/docker.d', + post_start => 'run-parts /usr/local/etc/docker.d', + pre_stop => 'run-parts /usr/local/etc/docker.d', + } + +} -- cgit v1.1