Do not use docker_container module

Using `docker_container` with a `cap_drop` argument requires Ansible >=2.7. We want to support older versions too (2.4), so we either need to stop invoking it with `cap_drop` (insecure), or just stop using the module altogether. Since it was suffering from other bugs too (not deleting containers on failure), we've decided to remove `docker_container` usage completely.
2019-02-25 10:42:27 +02:00
parent 639fc0bb5c
commit 433780384e
2 changed files with 34 additions and 38 deletions
--- a/roles/matrix-synapse/tasks/setup_synapse_main.yml
+++ b/roles/matrix-synapse/tasks/setup_synapse_main.yml
@ -29,21 +29,22 @@

 # We do this mostly so that the keys would get generated.
 # We'll replace the rest of the configuration with our own templates below.
+#
+# We don't use the `docker_container` module, because using it with `cap_drop` requires
+# a very recent version, which is not available for a lot of people yet.
 - name: Generate initial Matrix config
-  docker_container:
-    name: matrix-config
-    image: "{{ matrix_synapse_docker_image }}"
-    detach: no
-    cleanup: yes
-    command: generate
-    env:
-      SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml"
-      SYNAPSE_SERVER_NAME: "{{ hostname_matrix }}"
-      SYNAPSE_REPORT_STATS: "no"
-    user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}"
-    cap_drop: ['all']
-    volumes:
-      - "{{ matrix_synapse_config_dir_path }}:/data"
+  command: |
+    docker run
+    --rm
+    --name=matrix-config
+    --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+    --cap-drop=ALL
+    -v {{ matrix_synapse_config_dir_path }}:/data
+    -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml
+    -e SYNAPSE_SERVER_NAME={{ hostname_matrix }}
+    -e SYNAPSE_REPORT_STATS=no
+    {{ matrix_synapse_docker_image }}
+    generate
  when: "not matrix_synapse_config_stat.stat.exists"

 - name: Ensure Matrix homeserver config installed