automate/020_docker.sh

#!/usr/bin/env bash

URL="download.docker.com"
RELEASE_NAME="bullseye"

# Install docker
set -x 
#echo '#bash -c "apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D"' >  /etc/apt/sources.list.d/docker.list
#echo "deb http://apt.dockerproject.org/repo debian-stretch main" >> /etc/apt/sources.list.d/docker.list 

mkdir -p /etc/apt/sources.list-available
echo "#bash -c "curl -fsSL https://${URL}/linux/debian/gpg | apt-key add -"" >  /etc/apt/sources.list-available/docker.list
echo "deb https://${URL}/linux/debian ${RELEASE_NAME} stable" >> /etc/apt/sources.list-available/docker.list

ln -sf /etc/apt/sources.list-available/docker.list /etc/apt/sources.list.d/docker.list

#bash -c "apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D"
bash -c "curl -fsSL https://${URL}/linux/debian/gpg | apt-key add -"

bash -c "apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7EA0A9C3F273FCD8"


# Bypass apt-proxy for brave packages
if [ -f /etc/apt/apt.conf.d/02proxy ]; then
	if [ ! -z $(grep ${URL} /etc/apt/apt.conf.d/02proxy) ]; then
		echo "Acquire::http::Proxy { \"${URL}\" DIRECT; };" >> /etc/apt/apt.conf.d/02proxy
	fi
fi

apt update
apt install -y --force-yes jq
apt remove -y docker docker-engine docker.io containerd runc
apt install -y \
    apt-transport-https \
    ca-certificates \
    curl \
    pass \
    gnupg2 \
    software-properties-common
apt install -y docker-ce docker-ce-cli containerd.io docker-compose
#apt install -y --force-yes docker-engine=1.9.1-0~jessie

#mkdir -p /var/lib/docker
#umount /dev/mapper/vg_prime-varLibDockerLV 
#mount /dev/mapper/vg_prime-varLibDockerLV /var/lib/docker

## /etc/default/docker 
## NB. We use the /etc/docker/daemon.json instead of this file. Options cannot be set in both.
#bash -c 'perl -p -i -e "s/#DOCKER_RUN_OPTS=\"\"/DOCKER_RUN_OPTS=\"--restart=true\"/g"  /etc/default/docker'
#bash -c 'sed -i "s|DOCKER_RUN_OPTS=\"\(.*\)\"|DOCKER_RUN_OPTS=\"\1 --storage-driver=zfs\"|" /etc/default/docker'
#bash -c 'sed -i "s|DOCKER_RUN_OPTS=\"\(.*\)\"|DOCKER_RUN_OPTS=\"\1 --dns 52.174.55.168 --dns 188.165.200.156\"|" /etc/default/docker'
#bash -c 'sed -i "s|DOCKER_RUN_OPTS=\"\(.*\)\"|DOCKER_RUN_OPTS=\"\1 zfs.fsname=rpool/docker\"|" /etc/default/docker'
bash -c " sed -i '/^DOCKER_RUN.*/    s/^/#/' /etc/default/docker"

# enable experimental features - done in /etc/docker/daemon.json below.
# bash -c 'sed -i "/^# Docker Upstart.*/ s/.*/&\nDOCKER_CLI_EXPERIMENTAL=enabled/" /etc/default/docker'
bash -c " sed -i '/^DOCKER_CLI_EXPERIMENTAL=.*/    s/^/#/' /etc/default/docker"

# enable buildkit builds - done in /etc/docker/daemon.json below.
# bash -c 'sed -i "/^# Docker Upstart.*/ s/.*/&\nDOCKER_BUILDKIT=1/" /etc/default/docker'
bash -c " sed -i '/^DOCKER_BUILDKIT.*/    s/^/#/' /etc/default/docker"

# i2p container requires ipv6  - done in /etc/docker/daemon.json below.
#bash -c 'sed -i "s|DOCKER_RUN_OPTS=\"\(.*\)\"|DOCKER_RUN_OPTS=\"\1 --ipv6\"|" /etc/default/docker'

# The above can also be passed in /etc/docker/daemon.json
# For other options:
# http://github.com/moby/moby/pull/23657/files?short_path=ca4f406
# https://gist.github.com/lvdh/1f2d50ad49274413d3e501b71a59e819
mkdir -p /etc/docker
if [ ! -f /etc/docker/daemon.json ]
then
	touch /etc/docker/daemon.json
	echo "{}" > /etc/docker/daemon.json
else
	echo "/etc/docker/daemon.json exists."
fi

## Default configuration file on linux:
## /etc/docker/daemon.json
# FIXME: remove the options in /etc/default/docker and use /etc/docker/daemon.json instead.
# 
# DOCKER_RUN_OPTS="
#	--storage-driver=zfs 
#	--dns 52.174.55.168 
#	--dns 188.165.200.156 
#	zfs.fsname=rpool/docker 
#	--ipv6"

# Note: You cannot set options in daemon.json that have already been set on daemon startup as 
# a flag in /etc/default/docker the docker daemon will refuse to start.
#
## This is a full example of the allowed configuration options on Linux:
## https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file
## See /var/tmp/automate/docker_daemon-writer.sh for complete jq example.

# NB live-restore is incompatible with swarm mode.

declare -A DOCKER_OPT
DOCKER_OPT[0]='.["dns"] = ["69.164.196.21","94.247.43.254"]'
DOCKER_OPT[1]='.["live-restore"] = false'
DOCKER_OPT[2]='.["storage-driver"] = "zfs"'
DOCKER_OPT[3]='.["storage-opts"] = ["zfs.fsname=rpool/docker"]'
DOCKER_OPT[4]='.["ipv6"] = false'
DOCKER_OPT[5]='.["insecure-registries"] = ["soleine.lan:5000"]'
DOCKER_OPT[6]='.["features"] = {"buildkit": true}'
#DOCKER_OPT[7]='.["hosts"] = ["fd://","unix:///var/run/docker.sock","tcp://0.0.0.0:2376"]'
#DOCKER_OPT[8]='.["experimental"] = true'



for ((i = 0; i < ${#DOCKER_OPT[@]}; ++i)); do
	OPTION="${DOCKER_OPT[$i]}"
	jq "${OPTION}" /etc/docker/daemon.json > /tmp/daemon.json.new && \
		mv -b /tmp/daemon.json.new /etc/docker/daemon.json
done

# General options
## Adding a personal registry.
#DOCKER_OPT[0]='.["insecure-registries"] = ["mydocker-registry.net:5000"]'
## Allow live restore, keep containers alive when the daemon becomes unavailable.
## Not compatible with swarm mode.
#DOCKER_OPT[1]='.["live-restore"] = ["true"]'
## Debugging on
#DOCKER_OPT[2]='.["debug"] = ["true"]'
## IPv6 for i2p container
#DOCKER_OPT[3]='.["ipv6"] = ["true"]'
## Logging options
#DOCKER_OPT[4]='.["log-driver"] = ["syslog"]'
##DOCKER_OPT[4]='.["log-opts"] = ["syslog-address","udp://1.2.3.4:1111"]'
#
#for ((i = 0; i < ${#DOCKER_OPT[@]}; ++i)); do
#	OPTION="${DOCKER_OPT[$i]}"
#	jq "${OPTION}" /etc/docker/daemon.json > /tmp/daemon.json.new && \
#		mv -b /tmp/daemon.json.new /etc/docker/daemon.json
#done

# https://docs.docker.com/engine/security/protect-access/
# Use TLS (HTTPS) to protect the Docker daemon socket rather than ssh.
# FIXME: Should be on the same dataset as the docker rpool (/var/lib/docker)
TLS_HOME="/var/lib/docker/certs.d"
KEYNAME="server"
TLSHOSTS="tcp://192.168.59.3:2376"

mkdir -p ${TLS_HOME}
#{
#  "debug": true,
#  "tls": true,
#  "tlscert": "/var/docker/server.pem",
#  "tlskey": "/var/docker/serverkey.pem",
#  "hosts": ["tcp://192.168.59.3:2376"]
#}
#DOCKER_OPT[9]='.["tls"] = true'
#DOCKER_OPT[10]=".["tlscert"] = "${TLS_HOME}/${KEYNAME}.pem""
#DOCKER_OPT[11]=".["tlskey"] = "${TLS_HOME}/${KEYNAME}key.pem""
#DOCKER_OPT[12]=".["hosts"] = ["${TLSHOSTS}"]"

# Replace all instances of $HOST in the following with the DNS name of your 
# Docker daemon’s host.

## Change the subj line to reflect your details for key generation and uncomment 
## above to turn tls on.
#openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 \
#	-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=${HOST}" \
#	-keyout ${TLS_HOME}/${KEYNAME}_key.pem \
#	-out ${TLS_HOME}/${KEYNAME}.pem

# Add tls - we keep the keys on the docker zfs dataset not /etc/docker/tls
#DOCKER_OPT[0]='.["tls"] = ["true"]'
#DOCKER_OPT[1]='.["tlscacert"] = ["${TLS_HOME}/ca.pem"]'
#DOCKER_OPT[2]='.["tlscert"] = ["${TLS_HOME}/${KEYNAME}.pem"]'
#DOCKER_OPT[3]='.["tlskey"] = ["${TLS_HOME}/${KEYNAME}_key.pem"]'
#DOCKER_OPT[4]='.["tlsverify"] = ["true"]'
#DOCKER_OPT[5]='.["hosts"] = ["tcp://192.168.59.3:2376"]' 

#for ((i = 0; i < ${#DOCKER_OPT[@]}; ++i)); do
#	OPTION="${DOCKER_OPT[$i]}"
#	jq "${OPTION}" /etc/docker/daemon.json > /tmp/daemon.json.new && \
#		mv -b /tmp/daemon.json.new /etc/docker/daemon.json
#done

## Something similar to set up a swarm
#DOCKER_OPT[0]='.["cluster-advertise"] = "192.168.1.116:12376"'
#DOCKER_OPT[1]='.["cluster-store"] = "etcd://192.168.1.116:12379"'
#DOCKER_OPT[2]='.["cluster-store-opts"] = { "kv.cacertfile" : "/var/lib/docker/discovery_certs/ca.pem", "kv.certfile" : "/var/lib/docker/discovery_certs/cert.pem", "kv.keyfile" : "/var/lib/docker/discovery_certs/key.pem" }'
#for ((i = 0; i < ${#DOCKER_OPT[@]}; ++i)); do
#	OPTION="${DOCKER_OPT[$i]}"
#	jq "${OPTION}" /etc/docker/daemon.json > /tmp/daemon.json.new && \
#		mv -b /tmp/daemon.json.new /etc/docker/daemon.json
#done

#groupadd docker
#usermod -aG docker $USER
#gpasswd -a "$USER_NAME" docker
#newgrp docker

#/etc/init.d/docker restart