Docker restart fails after OPA authz plugin installation on Ubuntu 20.04
haxorof opened this issue · 2 comments
Version Information
Ansible: 2.10.7
Role: 3.5.0
Steps to Reproduce
Installing Docker plugin openpolicyagent/opa-docker-authz-v2:0.8 on Ubuntu 20.04 having configuration written about in README under section On the road to CIS security compliant Docker engine installation.
Expected Behavior
Docker installed and configured with Docker OPA authz plugin.
Actual Behavior
Restart of Docker daemon fails at end of play.
References
Thanks to @AlexeyShchukinSecurrency for reporting this initially.
After investigation of the issue is comes down to what is done during package installation of docker-ce in the different Linux distribution. It seems that when installing docker-ce package in Ubuntu 20.04 it also starts and enables the docker service in systemd. This is something which is not done in CentOS/AlmaLinux. It is not an issues as long as no Docker plugin installation is made since restart is triggered at end of play as expected. However, to install an Docker authz plugin like OPA the Docker daemon must be running to even install a docker plugin. Then after an authz plugin is installed the Docker daemon configuration needs to be changed to use the authz plugin via configuration authorization-plugins.
So what is not handled correctly in the role is that configuration made to systemd by the role is notifying handler for restarting docker but installation of plugins are done before that will happen and other tasks to do restarts before plugin installation is skipped for the Ubuntu case. Simple fix is to just replace first task in the plugin configuration file to do restart instead of just ensuring it is started. This will however do unnecessary restart in different scenarios where for example OPA plugin is already installed etc.
@AlexeyShchukinSecurrency Fixes included in latest release now: 3.6.0