diff --git a/roles/container-engine/docker/templates/docker-options.conf.j2 b/roles/container-engine/docker/templates/docker-options.conf.j2 index 296f5a8a1..3ce40087c 100644 --- a/roles/container-engine/docker/templates/docker-options.conf.j2 +++ b/roles/container-engine/docker/templates/docker-options.conf.j2 @@ -1,5 +1,15 @@ [Service] -Environment="DOCKER_OPTS={{ docker_options|default('') }} --iptables={{ docker_iptables_enabled | default('false') }}" +Environment="DOCKER_OPTS={{ docker_options|default('') }} --iptables={{ docker_iptables_enabled | default('false') }} \ +{% for i in docker_insecure_registries %}--insecure-registry={{ i }} {% endfor %} \ +{% for i in docker_registry_mirrors %}--registry-mirror={{ i }} {% endfor %} \ +{% if docker_version != "latest" and docker_version is version('17.05', '<') %}--graph={% else %}--data-root={% endif %}{{ docker_daemon_graph }} \ +{% if ansible_os_family not in ["openSUSE Leap", "openSUSE Tumbleweed", "Suse"] %}{{ docker_log_opts }}{% endif %} \ +{% if ansible_architecture == "aarch64" and ansible_os_family == "RedHat" %} \ +--add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \ +--default-runtime=docker-runc --exec-opt native.cgroupdriver=systemd \ +--userland-proxy-path=/usr/libexec/docker/docker-proxy-current --signature-verification=false \ +{% endif %}" + {% if docker_mount_flags is defined and docker_mount_flags != "" %} MountFlags={{ docker_mount_flags }} {% endif %} diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml index f20bdf346..fd42eb3f5 100644 --- a/roles/kubespray-defaults/defaults/main.yaml +++ b/roles/kubespray-defaults/defaults/main.yaml @@ -220,17 +220,18 @@ docker_iptables_enabled: "false" # Rotate container stderr/stdout logs at 50m and keep last 5 docker_log_opts: "--log-opt max-size=50m --log-opt max-file=5" -## An obvious use case is allowing insecure-registry access to self hosted registries. -## Can be ipaddress and domain_name. -## example define 172.19.16.11 or mirror.registry.io +## A list of insecure docker registries (IP address or domain name), for example +## to allow insecure-registry access to self-hosted registries. Empty by default. # docker_insecure_registries: # - mirror.registry.io # - 172.19.16.11 +docker_insecure_registries: [] -## Add other registry,example China registry mirror. +## A list of additional registry mirrors, for example China registry mirror. Empty by default. # docker_registry_mirrors: # - https://registry.docker-cn.com # - https://mirror.aliyuncs.com +docker_registry_mirrors: [] ## If non-empty will override default system MounFlags value. ## This option takes a mount propagation flag: shared, slave @@ -240,24 +241,7 @@ docker_log_opts: "--log-opt max-size=50m --log-opt max-file=5" # docker_mount_flags: ## A string of extra options to pass to the docker daemon. -## This string should be exactly as you wish it to appear. -docker_options: >- - {%- if docker_insecure_registries is defined %} - {{ docker_insecure_registries | map('regex_replace', '^(.*)$', '--insecure-registry=\1' ) | list | join(' ') }} - {%- endif %} - {% if docker_registry_mirrors is defined %} - {{ docker_registry_mirrors | map('regex_replace', '^(.*)$', '--registry-mirror=\1' ) | list | join(' ') }} - {%- endif %} - {%- if docker_version != "latest" and docker_version is version('17.05', '<') %} - --graph={{ docker_daemon_graph }} {% if ansible_os_family not in ["openSUSE Leap", "openSUSE Tumbleweed", "Suse"] %}{{ docker_log_opts }}{% endif %} - {%- else %} - --data-root={{ docker_daemon_graph }} {% if ansible_os_family not in ["openSUSE Leap", "openSUSE Tumbleweed", "Suse"] %}{{ docker_log_opts }}{% endif %} - {%- endif %} - {%- if ansible_architecture == "aarch64" and ansible_os_family == "RedHat" %} - --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current - --default-runtime=docker-runc --exec-opt native.cgroupdriver=systemd - --userland-proxy-path=/usr/libexec/docker/docker-proxy-current --signature-verification=false - {%- endif -%} +# docker_options: "" ## A list of plugins to install using 'docker plugin install --grant-all-permissions' ## Empty by default so no plugins will be installed.