Install docker in the production environment
Categories
(Developer Services :: General, task)
Tracking
(Not tracked)
People
(Reporter: u587052, Assigned: mhentges)
References
Details
Attachments
(3 files)
To prepare for 1598958, we need to have the production environment be able to run docker containers. This ticket involves the ansible configuration to install docker, as well as the actual deployment of that installation to our production machines.
To test the docker-installation ansible job, Connor mentioned that we might be able to spool up a temporary EC2 instance and point ansible at it.
I'm interested in handling this if nobody else already has their eyes on slurping this up
|
Assignee | |
Updated•6 years ago
|
|
|
Assignee | |
Comment 2•6 years ago
|
||
Looking into our ansible logic in version-control-tools, I've gone ahead and added geerlingguy.docker to our vendor-roles.
Theoretically, this could be as easy as adding geerlingguy.docker to the roles: section of docker-hgweb and docker-hgmaster. However, these machines are already associated with roles with "docker" in the name (docker-hg-web, docker-hg-ssh). This is confusing to me, because:
- Due to the name, it sounds like these existing roles already install/require docker
- When looking in the existing
docker-...roles, I couldn't find any logic to install docker. So, they don't use docker yet?
Finally, I'd like to test the docker vendor role that I installed. Can I get access to our Amazon account so I can spool up an EC2 machine with the right AMI?
TL;DR, NI'd for two reasons:
- Do the hg machines already have docker?
- Can I get access to amazon?
|
||
Comment 3•6 years ago
|
||
(In reply to Mitchell Hentges [:mhentges] from comment #2)
Looking into our
ansiblelogic inversion-control-tools, I've gone ahead and addedgeerlingguy.dockerto ourvendor-roles.
Theoretically, this could be as easy as addinggeerlingguy.dockerto theroles:section ofdocker-hgwebanddocker-hgmaster. However, these machines are already associated with roles with "docker" in the name (docker-hg-web,docker-hg-ssh). This is confusing to me, because:
- Due to the name, it sounds like these existing roles already install/require docker
- When looking in the existing
docker-...roles, I couldn't find any logic to install docker. So, they don't use docker yet?Finally, I'd like to test the docker vendor role that I installed. Can I get access to our Amazon account so I can spool up an EC2 machine with the right AMI?
TL;DR, NI'd for two reasons:
- Do the hg machines already have docker?
- Can I get access to amazon?
docker-* is the Ansible role applied to docker containers in the docker based test environment. When you build the docker based test images you basically apply these roles to the base Centos7 docker image. You'll notice in the meta that these roles apply the production role (ie docker-hg-web applies hg-web as part of it's dependencies). Any test-environment specific changes (adding test files, changing production config values to test values, etc) happen there as well. Hope that clears things up.
How difficult would it be to install docker in our own role? I would think it's rather straightforward (probably just yum install docker plus add a few users). Are there advantages to using the third-party role?
I'll set up AWS access for you tomorrow. :)
|
|
Assignee | |
Comment 4•6 years ago
|
||
I saw that we had two other third-party roles (geerlingguy.java, geerlingguy.jenkins), so I cargo-culted the third in.
I don't think that it will be as easy as a yum install docker since there's a systemd service and group management involved, but it shouldn't be too spicy, either.
I'll write a minimal docker role tomorrow :+1:
(note: are the other third-party roles used? I couldn't find a usage, so I'll happily trash them in a separate patch)
|
|
||
Comment 5•6 years ago
|
||
(In reply to Mitchell Hentges [:mhentges] from comment #4)
(note: are the other third-party roles used? I couldn't find a usage, so I'll happily trash them in a separate patch)
Doesn't look like it - the annotate for ansible/vendor-roles/requirements.yml suggests they were added in the mozreview days and weren't torn out after.
|
|
||
Comment 6•6 years ago
|
||
Sent Mitch his credentials securely via Slack (FF-Send link).
|
|
Assignee | |
Comment 7•6 years ago
|
||
Adds role to install docker community edition and enable the systemd service. I tested it against the CentOS 7 AMI.
The role was also added to be a dependency of hg-web and hg-ssh
Pushed by mhentges@mozilla.com:
https://hg.mozilla.org/hgcustom/version-control-tools/rev/d5ce3e62e9f3
ansible: adds docker for hg-web and hg-ssh r=sheehan
|
|
Assignee | |
Comment 9•6 years ago
|
||
It was previously implicit that, if "/vct" existed, we were running in a test environment.
By using a dedicated variable to represent this fact ("is_testing"), we can simplify the logic here
Depends on D58173
|
||
Comment 10•6 years ago
|
||
|
|
Assignee | |
Comment 11•6 years ago
|
||
Some of our ansible roles are only used in local testing. We applied a convention to label these as docker-$thing,
but that is becoming confusing as we install Docker in production ("does this role apply to a place where we have
docker, or where we're running in docker, like our tests?").
By naming these as testing-$thing, we get two benefits:
- It's easier to tell at a glance that a role/playbook is only for the testing environment
- When attempting to use a role in production, you'll know if it's been written to assume a testing environment by its name
|
|
||
Comment 12•6 years ago
|
||
Description
•