sjat/boma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
boma/roles/docker_host
History
Exact
sjat 172ae37953 feat(docker_host): container-forward nftables drop-in (reboot-safe Docker forwarding) 
base's inet-filter forward chain is policy-drop; on a Docker host that kills published-port DNAT + inter-container forwarding ON REBOOT (nftables loads default-deny before dockerd). This drop-in (loaded via base's /etc/nftables.d/*.nft include at boot) appends the container-bridge accepts so a rebooted Docker host keeps forwarding. Resolves FRICTION 2026-06-17 #1 and the GREEN half of ADR-025's acceptance test. NB nftables wildcard is br-*, not the iptables br-+.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-18 16:57:47 +02:00
..
defaults feat(docker_host): container-forward nftables drop-in (reboot-safe Docker forwarding) 2026-06-18 16:57:47 +02:00
handlers fix(O1): scaffold docker_host role so make lint passes on main 2026-06-11 14:53:55 +02:00
meta fix(O1): scaffold docker_host role so make lint passes on main 2026-06-11 14:53:55 +02:00
molecule/default chore(roles): role/test hygiene from review (O16,O17,O25,O26) 2026-06-14 19:31:23 +02:00
tasks feat(docker_host): container-forward nftables drop-in (reboot-safe Docker forwarding) 2026-06-18 16:57:47 +02:00
templates feat(docker_host): container-forward nftables drop-in (reboot-safe Docker forwarding) 2026-06-18 16:57:47 +02:00
README.md feat(docker_host): install Docker engine + compose plugin 2026-06-14 17:28:51 +02:00

README.md

docker_host

Installs the Docker CE engine and the Compose plugin on every host in the docker_hosts group. Provides the container runtime that per-service roles (one service = one role, ADR-004) deploy their Compose stacks onto.

Scope

This role covers the engine install only. The following are deferred to Phase 2 (when the Proxmox cluster and base host firewall exist):

  • Daemon hardening (iptables: false, log driver, live-restore, userns remapping).
  • Rendering container forward/NAT rules into /etc/nftables.d/*.nft (the base role hook for container firewall integration, ADR-020).

Variables

Variable Default Description
docker_host__packages [docker-ce, docker-ce-cli, containerd.io, docker-compose-plugin] APT packages installed from the Docker CE repository

All variables use the docker_host__ double-underscore namespace (CLAUDE.md convention).

Example

- hosts: docker_hosts
  become: true
  roles:
    - role: docker_host
      tags: [docker_host]

Tags

All tasks carry the packages concern tag (APT package install, ADR-019).

Related

  • ADR-004 (docs/decisions/004-docker-model.md) — Docker & Compose model.
  • ADR-020 (docs/decisions/020-firewall.md) — daemon hardening + nftables.d integration (deferred to Phase 2).
  • ADR-011 (docs/decisions/011-update-management.md) — version pinning policy (future: pin Docker CE version explicitly).