From 10c7927df6dd91aac60b8067024703affad7f52f Mon Sep 17 00:00:00 2001
From: Marc Sladek <marc@sladek.dev>
Date: Sun, 11 Aug 2024 19:40:28 +0200
Subject: [PATCH 1/4] introduce network and port driver configuration

---
 README.md                         | 13 +++++++++++++
 defaults/main.yml                 |  2 ++
 tasks/docker_install_rootless.yml | 10 ----------
 tasks/docker_service.yml          | 24 ++++++++++++++++++++++++
 tasks/docker_service_rootful.yml  | 10 ----------
 tasks/main.yml                    |  9 ++++++++-
 6 files changed, 47 insertions(+), 21 deletions(-)
 create mode 100644 tasks/docker_service.yml

diff --git a/README.md b/README.md
index f4f3686..593f87f 100644
--- a/README.md
+++ b/README.md
@@ -52,6 +52,8 @@ docker_compose_release: v2.29.1
 docker_compose_release_shasum: 5ea89dd65d33912a83737d8a4bf070d5de534a32b8493a21fbefc924484786a9
 docker_compose_url: https://github.com/docker/compose/releases/download
 docker_daemon_json_template: daemon.json.j2
+docker_driver_network: slirp4netns
+docker_driver_port: builtin
 docker_release: 27.1.1
 docker_release_rootless_shasum: 31cffd0f0c84ead9a5b28c1ad0c8e56eb9ef352036099a1f6501315574d4f63e
 docker_release_shasum: 118da6b8fc8e8b6c086ab0dd5e64ee549376c3a3f963723bbc9a46db475bf21f
@@ -134,6 +136,17 @@ The `docker_allow_ping` variable configures if unprivileged users can open
 On some distributions, this is not allowed, and thereby containers cannot ping
 to the outside.
 
+The `docker_driver_network` and `docker_driver_port` variables configure RootlessKit's 
+[network driver](https://github.com/rootless-containers/rootlesskit/blob/master/docs/network.md) or
+[port driver](https://github.com/rootless-containers/rootlesskit/blob/master/docs/port.md),
+respectively. This is useful for
+[optimising network performance](https://docs.docker.com/engine/security/rootless/#networking-errors)
+and necessary if
+[source IP propagation](https://docs.docker.com/engine/security/rootless/#docker-run--p-does-not-propagate-source-ip-addresses)
+is required. By default, the `builtin` port driver does not expose the actual source IP; instead,
+all connections appear to the container as originating from the Docker gateway (e.g. 172.19.0.1).
+Set `docker_driver_port: slirp4netns` to enable source IP propagation.
+
 The variables named `*_template` are the locations of the
 [templates](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/template_module.html)
 in use, this to make it easier to replace them with custom ones.
diff --git a/defaults/main.yml b/defaults/main.yml
index ec022f5..82f5da2 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -10,6 +10,8 @@ docker_compose_release: v2.29.1
 docker_compose_release_shasum: 5ea89dd65d33912a83737d8a4bf070d5de534a32b8493a21fbefc924484786a9
 docker_compose_url: https://github.com/docker/compose/releases/download
 docker_daemon_json_template: daemon.json.j2
+docker_driver_network: slirp4netns
+docker_driver_port: builtin
 docker_release: 27.1.1
 docker_release_rootless_shasum: 31cffd0f0c84ead9a5b28c1ad0c8e56eb9ef352036099a1f6501315574d4f63e
 docker_release_shasum: 118da6b8fc8e8b6c086ab0dd5e64ee549376c3a3f963723bbc9a46db475bf21f
diff --git a/tasks/docker_install_rootless.yml b/tasks/docker_install_rootless.yml
index cc2bf48..c3f6b19 100644
--- a/tasks/docker_install_rootless.yml
+++ b/tasks/docker_install_rootless.yml
@@ -94,13 +94,3 @@
     dest: "{{ docker_user_info.home }}/.config/docker/daemon.json"
     backup: true
     mode: "0644"
-
-- name: Enable and start Docker (rootless installation)
-  become: true
-  become_user: "{{ docker_user }}"
-  ansible.builtin.systemd:
-    name: docker.service
-    enabled: true
-    state: started
-    scope: user
-    daemon_reload: true
diff --git a/tasks/docker_service.yml b/tasks/docker_service.yml
new file mode 100644
index 0000000..9e9fbbe
--- /dev/null
+++ b/tasks/docker_service.yml
@@ -0,0 +1,24 @@
+- name: Configure Docker network/port drivers
+  become: true
+  become_user: "{{ docker_user }}"
+  ansible.builtin.lineinfile:
+    dest: "{{ docker_user_info.home }}/.config/systemd/user/docker.service"
+    insertafter: '\[Service\]'
+    firstmatch: true
+    regexp: "^Environment=\"{{ item.key }}="
+    line: "Environment=\"{{ item.key }}={{ item.value }}\""
+  loop:
+    - key: DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER
+      value: "{{ docker_driver_port }}"
+    - key: DOCKERD_ROOTLESS_ROOTLESSKIT_NET
+      value: "{{ docker_driver_network }}"
+
+- name: Enable and start Docker
+  become: true
+  become_user: "{{ docker_user }}"
+  ansible.builtin.systemd:
+    name: docker.service
+    enabled: true
+    state: started
+    scope: user
+    daemon_reload: true
diff --git a/tasks/docker_service_rootful.yml b/tasks/docker_service_rootful.yml
index 2ab68dd..bfefbb6 100644
--- a/tasks/docker_service_rootful.yml
+++ b/tasks/docker_service_rootful.yml
@@ -60,13 +60,3 @@
   failed_when: install_rootless_docker.rc != 0
   when:
     - not docker_rootless_sock.stat.exists
-
-- name: Enable and start Docker (rootful installation)
-  become: true
-  become_user: "{{ docker_user }}"
-  ansible.builtin.systemd:
-    name: docker.service
-    enabled: true
-    state: started
-    scope: user
-    daemon_reload: true
diff --git a/tasks/main.yml b/tasks/main.yml
index fd1bbab..3e39cc1 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -11,7 +11,7 @@
   tags:
     - always
 
-- name: Remove obselete Docker instruction file
+- name: Remove obsolete Docker instruction file
   ansible.builtin.file:
     path: "{{ ansible_env.HOME }}/ROOTLESS_DOCKER.README"
     state: absent
@@ -50,6 +50,13 @@
   tags:
     - docker_rootless
 
+- name: Configure Docker service
+  ansible.builtin.import_tasks:
+    file: docker_service.yml
+  tags:
+    - docker_rootful
+    - docker_rootless
+
 - name: Install Docker Compose
   ansible.builtin.import_tasks:
     file: docker_compose.yml

From a023371c57948c9331fa70539f341ec03858ac83 Mon Sep 17 00:00:00 2001
From: Marc Sladek <marc@sladek.dev>
Date: Mon, 12 Aug 2024 17:44:14 +0200
Subject: [PATCH 2/4] apply formatting patch

---
 README.md                | 2 +-
 tasks/docker_service.yml | 7 ++++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 593f87f..2f842f7 100644
--- a/README.md
+++ b/README.md
@@ -136,7 +136,7 @@ The `docker_allow_ping` variable configures if unprivileged users can open
 On some distributions, this is not allowed, and thereby containers cannot ping
 to the outside.
 
-The `docker_driver_network` and `docker_driver_port` variables configure RootlessKit's 
+The `docker_driver_network` and `docker_driver_port` variables configure RootlessKit's
 [network driver](https://github.com/rootless-containers/rootlesskit/blob/master/docs/network.md) or
 [port driver](https://github.com/rootless-containers/rootlesskit/blob/master/docs/port.md),
 respectively. This is useful for
diff --git a/tasks/docker_service.yml b/tasks/docker_service.yml
index 9e9fbbe..ea917e2 100644
--- a/tasks/docker_service.yml
+++ b/tasks/docker_service.yml
@@ -1,12 +1,13 @@
+---
 - name: Configure Docker network/port drivers
   become: true
   become_user: "{{ docker_user }}"
   ansible.builtin.lineinfile:
     dest: "{{ docker_user_info.home }}/.config/systemd/user/docker.service"
-    insertafter: '\[Service\]'
+    insertafter: \[Service\]
     firstmatch: true
-    regexp: "^Environment=\"{{ item.key }}="
-    line: "Environment=\"{{ item.key }}={{ item.value }}\""
+    regexp: ^Environment="{{ item.key }}=
+    line: Environment="{{ item.key }}={{ item.value }}"
   loop:
     - key: DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER
       value: "{{ docker_driver_port }}"

From 9ee60d8de57511264e16bd8bd46030361fbc98b8 Mon Sep 17 00:00:00 2001
From: Marc Sladek <marc@sladek.dev>
Date: Tue, 13 Aug 2024 23:37:11 +0200
Subject: [PATCH 3/4] systemd service override.conf

---
 tasks/docker_service.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/tasks/docker_service.yml b/tasks/docker_service.yml
index ea917e2..2624485 100644
--- a/tasks/docker_service.yml
+++ b/tasks/docker_service.yml
@@ -1,9 +1,17 @@
 ---
+- name: Add Docker systemd service override.conf
+  become: true
+  become_user: "{{ docker_user }}"
+  ansible.builtin.lineinfile:
+    dest: "{{ docker_user_info.home }}/.config/systemd/user/docker.service.d/override.conf"
+    line: "[Service]"
+    create: true
+
 - name: Configure Docker network/port drivers
   become: true
   become_user: "{{ docker_user }}"
   ansible.builtin.lineinfile:
-    dest: "{{ docker_user_info.home }}/.config/systemd/user/docker.service"
+    dest: "{{ docker_user_info.home }}/.config/systemd/user/docker.service.d/override.conf"
     insertafter: \[Service\]
     firstmatch: true
     regexp: ^Environment="{{ item.key }}=

From 1dbc35fb2191816580be8bca0cd033cb47681a7a Mon Sep 17 00:00:00 2001
From: Marc Sladek <marc@sladek.dev>
Date: Tue, 13 Aug 2024 23:43:54 +0200
Subject: [PATCH 4/4] add mode 0644

---
 tasks/docker_service.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tasks/docker_service.yml b/tasks/docker_service.yml
index 2624485..8a7efc8 100644
--- a/tasks/docker_service.yml
+++ b/tasks/docker_service.yml
@@ -6,6 +6,7 @@
     dest: "{{ docker_user_info.home }}/.config/systemd/user/docker.service.d/override.conf"
     line: "[Service]"
     create: true
+    mode: "0644"
 
 - name: Configure Docker network/port drivers
   become: true