Puppet Class: cfweb::appcommon::docker

Defined in:
manifests/appcommon/docker.pp

Overview

Parameters:

  • worker_token (Optional[String[1]]) (defaults to: undef)
  • docker_options (Hash) (defaults to: {}) 


6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
 
# File 'manifests/appcommon/docker.pp', line 6

class cfweb::appcommon::docker (
    Optional[String[1]]
        $worker_token = undef,
    Hash
        $docker_options = {},
){
    class { 'cfweb::internal::dockerbase':
        stage   => setup,
        options => $docker_options + {
            iptables => false,
        },
    }

    include cfweb

    $dockerfile_dir = "${cfweb::web_dir}/docker"
    $is_manager = !$cfweb::is_secondary
    $group = 'docker'

    file { $dockerfile_dir:
        ensure => directory,
        mode   => '0700',
    }
    group { $group:
        system => true,
    }

    # Default configuration
    # ---
    Docker::Image {
        ensure => absent,
    }

    if $is_manager {
        Docker_network {
            ensure => absent,
        }
        Docker::Swarm {
            ensure => absent,
        }
        Docker::Services {
            ensure => absent,
        }
    }

    # Swarm cluster
    # ---
    cfnetwork::describe_service { 'docker_swarm':
        server => [
            'tcp/2377',
            'tcp/7946',
            'udp/7946',
            'udp/4789',
        ],
    }

    if $is_manager {
        # TODO: Puppet-based PKI
        docker::swarm { $cfweb::cluster:
            ensure         => present,
            init           => true,
            advertise_addr => $cfweb::internal_addr,
            listen_addr    => $cfweb::internal_addr,
        }
    } elsif !empty($worker_token) {
        # TODO: Puppet-based PKI / automatic join token retrieval
        docker::swarm { $cfweb::cluster:
            ensure         => present,
            init           => false,
            advertise_addr => $cfweb::internal_addr,
            listen_addr    => $cfweb::internal_addr,
            manager_ip     => $cfweb::primary_internal_host,
            token          => $worker_token,
        }
    } else {
        fail("Please manually set \$worker_token for secondary nodes for now.\nUse 'docker swarm join-token'")
    }

    # Firewall integration
    # ---
    if ! $cfnetwork::is_router {
        fail("Docker requires \$cfnetwork::is_router=true")
    }

    if ! $cfnetwork::sysctl::enable_bridge_filter {
        fail("Docker requires \$cfnetwork::sysctl::enable_bridge_filter=true")
    }

    # Just make firewall aware of such interfaces
    cfnetwork::iface { 'dockerbr':
        device          => 'docker0',
        debian_template => 'cfweb/docker_gwbridge_iface',
        address         => '172.17.0.1/16',
    }
    cfnetwork::iface { 'docker':
        device          => 'docker_gwbridge',
        debian_template => 'cfweb/docker_gwbridge_iface',
        address         => '172.18.0.1/16',
    }

    # allow docker-proxy
    cfnetwork::client_port { [
        'dockerbr:allports:root',
        'docker:allports:root',
    ]:
        user => root,
    }
    cfnetwork::router_port { [
        'dockerbr/any:dns',
        'docker/any:dns',
    ]: }
}