Added support to expose docker-api via tcp

[monsdar]

Added a var that enables to exposure of the docker API via TCP

Issue #344

[konstruktoid]

This will only add an option regarding the unsafe tcp, I think it would be more proper to update the documentation on how to enable it.

Otherwise, we'll soon see an issue regarding tls support.

[monsdar]

I think it would be more proper to update the documentation on how to enable it.

With "it" you mean adding to the Readme how to enable secure TLS as well?

Regarding adding it to the role: I do not have an environment available to test this out, but I can add the right vars if that helps...

[konstruktoid]

Yeah, a short guide how to change the template and using the template path variable to enable tcp://.
No need to show how to generate certificate and such, just point to the official documentation.

[monsdar]

Done, let me know if this is enough info for someone to get the right idea

[konstruktoid]

Can you add docker_expose_docker_api_via_tcp: true to https://github.com/konstruktoid/ansible-role-docker-rootless/blob/main/molecule/default/molecule.yml#L41 and https://github.com/konstruktoid/ansible-role-docker-rootless/blob/main/molecule/default/molecule.yml#L59 so it will be included when testing?

[konstruktoid]

Basic test.

diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
index d5241a1..7d10b7a 100644
--- a/molecule/default/verify.yml
+++ b/molecule/default/verify.yml
@@ -88,6 +88,8 @@
           register: ps_dockerd
           changed_when: docker_user[:7] not in ps_dockerd.stdout
           failed_when: docker_user[:7] not in ps_dockerd.stdout
+          when:
+            - not docker_expose_docker_api_via_tcp
 
         - name: Verify docker_rootless.sh
           ansible.builtin.stat:
@@ -178,6 +180,20 @@
         delay: 10
         timeout: 120
 
+    - name: Verify tcp exposure
+      become: true
+      ansible.builtin.shell:
+        cmd: |
+          set -o pipefail
+          ss -ltnp | grep '\:2375.*rootlesskit'
+      args:
+        executable: /bin/bash
+      register: tcp_exposure
+      changed_when: false
+      failed_when: tcp_exposure.rc != 0
+      when:
+        - docker_expose_docker_api_via_tcp
+
     - name: Ensure no docker-compose.yml exists
       become: true
       become_user: "{{ docker_user }}"

[monsdar]

All done 👍

[konstruktoid]

this will actually add the configuration to the Docker daemon running as root, what you need to do is add the service file to the docker_user, see https://github.com/konstruktoid/ansible-role-docker-rootless/blob/main/tasks/docker_install_rootless.yml#L80-L87

[monsdar]

Sorry, I don't get what's the request :/

[konstruktoid]

your PR works when running in rootless mode, but in order for it to work in rootles, you'll need to add the user service file to the rootful installastion. https://github.com/konstruktoid/ansible-role-docker-rootless/blob/main/tasks/docker_install_rootless.yml#L80-L87 -> https://github.com/konstruktoid/ansible-role-docker-rootless/blob/main/tasks/docker_install_rootful.yml