209 lines
7.9 KiB
Bash
Executable File
209 lines
7.9 KiB
Bash
Executable File
#!/usr/bin/env bash
|
||
|
||
URL="download.docker.com"
|
||
RELEASE_NAME="bookworm"
|
||
|
||
# Install docker
|
||
set -x
|
||
# echo "deb http://apt.dockerproject.org/repo debian-stretch main" >> /etc/apt/sources.list.d/docker.list
|
||
|
||
KEY_DIR=/etc/apt/trusted.gpg.d
|
||
KEY=${KEY_DIR}/docker.gpg
|
||
sudo mkdir -p ${KEY_DIR}
|
||
KEY_URL="https://download.docker.com/linux/debian/gpg"
|
||
sudo curl -fsSL ${KEY_URL} | sudo gpg --dearmor -o ${KEY}
|
||
|
||
ARCH=$(dpkg --print-architecture)
|
||
|
||
mkdir -p /etc/apt/sources.list-available
|
||
cat <<-EOF | sudo tee /etc/apt/sources.list-available/docker.list
|
||
deb [arch=${ARCH} signed-by=${KEY}] https://${URL}/linux/debian ${RELEASE_NAME} stable
|
||
EOF
|
||
|
||
ln -sf /etc/apt/sources.list-available/docker.list /etc/apt/sources.list.d/docker.list
|
||
|
||
# Bypass apt-proxy for docker packages
|
||
if [ -f /etc/apt/apt.conf.d/02proxy ]; then
|
||
if [ ! -z "$(grep "${URL}" /etc/apt/apt.conf.d/02proxy)" ]; then
|
||
echo "Acquire::http::Proxy { \"${URL}\" DIRECT; };" >>/etc/apt/apt.conf.d/02proxy
|
||
fi
|
||
fi
|
||
|
||
# apt update
|
||
apt install -y --force-yes jq
|
||
apt remove -y docker docker-engine docker.io containerd runc
|
||
apt install -y \
|
||
apt-transport-https \
|
||
ca-certificates \
|
||
curl \
|
||
pass \
|
||
gnupg2 \
|
||
software-properties-common
|
||
|
||
apt install -y \
|
||
docker-ce \
|
||
docker-ce-cli \
|
||
containerd.io \
|
||
docker-compose-plugin \
|
||
docker-buildx-plugin \
|
||
python3-docker \
|
||
python3-compose
|
||
# apt install -y --force-yes docker-engine=1.9.1-0~jessie
|
||
|
||
# mkdir -p /var/lib/docker
|
||
# umount /dev/mapper/vg_prime-varLibDockerLV
|
||
# mount /dev/mapper/vg_prime-varLibDockerLV /var/lib/docker
|
||
|
||
## /etc/default/docker
|
||
## NB. We use the /etc/docker/daemon.json instead of this file. Options cannot be set in both.
|
||
# bash -c 'perl -p -i -e "s/#DOCKER_RUN_OPTS=\"\"/DOCKER_RUN_OPTS=\"--restart=true\"/g" /etc/default/docker'
|
||
# bash -c 'sed -i "s|DOCKER_RUN_OPTS=\"\(.*\)\"|DOCKER_RUN_OPTS=\"\1 --storage-driver=zfs\"|" /etc/default/docker'
|
||
# bash -c 'sed -i "s|DOCKER_RUN_OPTS=\"\(.*\)\"|DOCKER_RUN_OPTS=\"\1 --dns 52.174.55.168 --dns 188.165.200.156\"|" /etc/default/docker'
|
||
# bash -c 'sed -i "s|DOCKER_RUN_OPTS=\"\(.*\)\"|DOCKER_RUN_OPTS=\"\1 zfs.fsname=rpool/docker\"|" /etc/default/docker'
|
||
# bash -c " sed -i '/^DOCKER_RUN.*/ s/^/#/' /etc/default/docker"
|
||
|
||
# enable experimental features - done in /etc/docker/daemon.json below.
|
||
# bash -c 'sed -i "/^# Docker Upstart.*/ s/.*/&\nDOCKER_CLI_EXPERIMENTAL=enabled/" /etc/default/docker'
|
||
# bash -c " sed -i '/^DOCKER_CLI_EXPERIMENTAL=.*/ s/^/#/' /etc/default/docker"
|
||
|
||
# enable buildkit builds - done in /etc/docker/daemon.json below.
|
||
# bash -c 'sed -i "/^# Docker Upstart.*/ s/.*/&\nDOCKER_BUILDKIT=1/" /etc/default/docker'
|
||
# bash -c " sed -i '/^DOCKER_BUILDKIT.*/ s/^/#/' /etc/default/docker"
|
||
|
||
# i2p container requires ipv6 - done in /etc/docker/daemon.json below.
|
||
#bash -c 'sed -i "s|DOCKER_RUN_OPTS=\"\(.*\)\"|DOCKER_RUN_OPTS=\"\1 --ipv6\"|" /etc/default/docker'
|
||
|
||
# The above can also be passed in /etc/docker/daemon.json
|
||
# For other options:
|
||
# http://github.com/moby/moby/pull/23657/files?short_path=ca4f406
|
||
# https://gist.github.com/lvdh/1f2d50ad49274413d3e501b71a59e819
|
||
mkdir -p /etc/docker
|
||
if [ ! -f /etc/docker/daemon.json ]; then
|
||
touch /etc/docker/daemon.json
|
||
echo "{}" >/etc/docker/daemon.json
|
||
else
|
||
echo "/etc/docker/daemon.json exists."
|
||
fi
|
||
|
||
## Default configuration file on linux:
|
||
## /etc/docker/daemon.json
|
||
|
||
# DOCKER_RUN_OPTS="
|
||
# --storage-driver=zfs
|
||
# --dns 52.174.55.168
|
||
# --dns 188.165.200.156
|
||
# zfs.fsname=rpool/docker
|
||
# --ipv6"
|
||
|
||
# Note: You cannot set options in daemon.json that have already been set on daemon startup as
|
||
# a flag in /etc/default/docker the docker daemon will refuse to start.
|
||
#
|
||
## This is a full example of the allowed configuration options on Linux:
|
||
## https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file
|
||
## See /var/tmp/automate/docker_daemon-writer.sh for complete jq example.
|
||
|
||
# NB live-restore is incompatible with swarm mode.
|
||
|
||
declare -A DOCKER_OPT
|
||
DOCKER_OPT[0]='.["dns"] = ["1.1.1.1","1.0.0.1"]'
|
||
DOCKER_OPT[1]='.["live-restore"] = false'
|
||
DOCKER_OPT[2]='.["storage-driver"] = "zfs"'
|
||
DOCKER_OPT[3]='.["storage-opts"] = ["zfs.fsname=rpool/docker"]'
|
||
DOCKER_OPT[4]='.["ipv6"] = false'
|
||
DOCKER_OPT[5]='.["insecure-registries"] = ["soleine.lan:5000"]'
|
||
DOCKER_OPT[6]='.["features"] = {"buildkit": true}'
|
||
DOCKER_OPT[7]='.["exec-opts"] = ["native.cgroupdriver=cgroupfs"]' # if omitted docker defaults to cgroupfs v1 and docker exec will fail, /etc/rc.conf rc_cgroup_mode="unified"
|
||
#DOCKER_OPT[8]='.["hosts"] = ["fd://","unix:///var/run/docker.sock","tcp://0.0.0.0:2376"]'
|
||
#DOCKER_OPT[9]='.["experimental"] = true'
|
||
|
||
# Change /etc/rc.conf to set cgroup v2
|
||
sed -i '/^#rc_cgroup_mode=.*/ s/.*/&\nrc_cgroup_mode=\"unified\"/' /etc/rc.conf
|
||
|
||
for ((i = 0; i < ${#DOCKER_OPT[@]}; ++i)); do
|
||
OPTION="${DOCKER_OPT[$i]}"
|
||
jq "${OPTION}" /etc/docker/daemon.json >/tmp/daemon.json.new &&
|
||
mv -b /tmp/daemon.json.new /etc/docker/daemon.json
|
||
done
|
||
|
||
# General options
|
||
## Adding a personal registry.
|
||
#DOCKER_OPT[0]='.["insecure-registries"] = ["mydocker-registry.net:5000"]'
|
||
## Allow live restore, keep containers alive when the daemon becomes unavailable.
|
||
## Not compatible with swarm mode.
|
||
#DOCKER_OPT[1]='.["live-restore"] = ["true"]'
|
||
## Debugging on
|
||
#DOCKER_OPT[2]='.["debug"] = ["true"]'
|
||
## IPv6 for i2p container
|
||
#DOCKER_OPT[3]='.["ipv6"] = ["true"]'
|
||
## Logging options
|
||
#DOCKER_OPT[4]='.["log-driver"] = ["syslog"]'
|
||
##DOCKER_OPT[4]='.["log-opts"] = ["syslog-address","udp://1.2.3.4:1111"]'
|
||
#
|
||
#for ((i = 0; i < ${#DOCKER_OPT[@]}; ++i)); do
|
||
# OPTION="${DOCKER_OPT[$i]}"
|
||
# jq "${OPTION}" /etc/docker/daemon.json > /tmp/daemon.json.new && \
|
||
# mv -b /tmp/daemon.json.new /etc/docker/daemon.json
|
||
#done
|
||
|
||
## Use TLS (HTTPS) to protect the Docker daemon socket instead of SSH
|
||
# This is something we usually do with letsencrypt
|
||
# https://docs.docker.com/engine/security/protect-access/
|
||
# Should be on the same dataset as the docker rpool (/var/lib/docker)
|
||
# TLS_HOME="/var/lib/docker/certs.d"
|
||
# KEYNAME="server"
|
||
# TLSHOSTS="tcp://192.168.59.3:2376"
|
||
#
|
||
# mkdir -p ${TLS_HOME}
|
||
#{
|
||
# "debug": true,
|
||
# "tls": true,
|
||
# "tlscert": "/var/docker/server.pem",
|
||
# "tlskey": "/var/docker/serverkey.pem",
|
||
# "hosts": ["tcp://192.168.59.3:2376"]
|
||
#}
|
||
#DOCKER_OPT[9]='.["tls"] = true'
|
||
#DOCKER_OPT[10]=".["tlscert"] = "${TLS_HOME}/${KEYNAME}.pem""
|
||
#DOCKER_OPT[11]=".["tlskey"] = "${TLS_HOME}/${KEYNAME}key.pem""
|
||
#DOCKER_OPT[12]=".["hosts"] = ["${TLSHOSTS}"]"
|
||
|
||
# Replace all instances of $HOST in the following with the DNS name of your
|
||
# Docker daemon’s host.
|
||
|
||
## Change the subj line to reflect your details for key generation and uncomment
|
||
## above to turn tls on.
|
||
#openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 \
|
||
# -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=${HOST}" \
|
||
# -keyout ${TLS_HOME}/${KEYNAME}_key.pem \
|
||
# -out ${TLS_HOME}/${KEYNAME}.pem
|
||
|
||
# Add tls - we keep the keys on the docker zfs dataset not /etc/docker/tls
|
||
#DOCKER_OPT[0]='.["tls"] = ["true"]'
|
||
#DOCKER_OPT[1]='.["tlscacert"] = ["${TLS_HOME}/ca.pem"]'
|
||
#DOCKER_OPT[2]='.["tlscert"] = ["${TLS_HOME}/${KEYNAME}.pem"]'
|
||
#DOCKER_OPT[3]='.["tlskey"] = ["${TLS_HOME}/${KEYNAME}_key.pem"]'
|
||
#DOCKER_OPT[4]='.["tlsverify"] = ["true"]'
|
||
#DOCKER_OPT[5]='.["hosts"] = ["tcp://192.168.59.3:2376"]'
|
||
|
||
#for ((i = 0; i < ${#DOCKER_OPT[@]}; ++i)); do
|
||
# OPTION="${DOCKER_OPT[$i]}"
|
||
# jq "${OPTION}" /etc/docker/daemon.json > /tmp/daemon.json.new && \
|
||
# mv -b /tmp/daemon.json.new /etc/docker/daemon.json
|
||
#done
|
||
|
||
## Something similar to set up a swarm
|
||
#DOCKER_OPT[0]='.["cluster-advertise"] = "192.168.1.116:12376"'
|
||
#DOCKER_OPT[1]='.["cluster-store"] = "etcd://192.168.1.116:12379"'
|
||
#DOCKER_OPT[2]='.["cluster-store-opts"] = { "kv.cacertfile" : "/var/lib/docker/discovery_certs/ca.pem", "kv.certfile" : "/var/lib/docker/discovery_certs/cert.pem", "kv.keyfile" : "/var/lib/docker/discovery_certs/key.pem" }'
|
||
#for ((i = 0; i < ${#DOCKER_OPT[@]}; ++i)); do
|
||
# OPTION="${DOCKER_OPT[$i]}"
|
||
# jq "${OPTION}" /etc/docker/daemon.json > /tmp/daemon.json.new && \
|
||
# mv -b /tmp/daemon.json.new /etc/docker/daemon.json
|
||
#done
|
||
|
||
#groupadd docker
|
||
#usermod -aG docker $USER
|
||
#gpasswd -a "$USER_NAME" docker
|
||
#newgrp docker
|
||
|
||
#/etc/init.d/docker restart
|