sunet dockerhost stolen from eduid

1 files changed, 42 insertions, 0 deletions

diff --git a/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp b/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp
new file mode 100644
index 0000000..8df416b
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/sunet/manifests/docker_run.pp
@@ -0,0 +1,42 @@
+# Common use of docker::run
+define sunet::docker_run(
+  $image,
+  $imagetag            = hiera('sunet_docker_default_tag', 'latest'),
+  $volumes             = [],
+  $ports               = [],
+  $env                 = [],
+  $net                 = 'bridge',
+  $extra_parameters    = [],
+) {
+
+  # Make container use unbound resolver on dockerhost
+  # If docker was just installed, facter will not know the IP of docker0. Thus the pick.
+  $dns = $net ? {
+    'host'  => [],  # docker refuses --dns with --net host
+    default => [pick($::ipaddress_docker0, '172.17.42.1')],
+  }
+
+  $image_tag = "${image}:${imagetag}"
+  docker::image { $image_tag : } ->
+
+  docker::run {$name :
+    use_name           => true,
+    image              => $image_tag,
+    volumes            => flatten([$volumes,
+                           '/etc/passwd:/etc/passwd:ro',  # uid consistency
+                           '/etc/group:/etc/group:ro',    # gid consistency
+                           ]),
+    ports              => $ports,
+    env                => $env,
+    net                => $net,
+    extra_parameters   => flatten([$extra_parameters,
+                                   '--rm',
+                                   ]),
+    dns                => $dns,
+    verify_checksum    => false,    # Rely on registry security for now. eduID risk #31.
+    pre_start          => 'run-parts /usr/local/etc/docker.d',
+    post_start         => 'run-parts /usr/local/etc/docker.d',
+    pre_stop           => 'run-parts /usr/local/etc/docker.d',
+  }
+
+}