7 files changed, 84 insertions, 97 deletions

diff --git a/roles/docker/README.md b/roles/docker/README.md
index f25ca03cd..4a9f21f22 100644
--- a/roles/docker/README.md
+++ b/roles/docker/README.md
@@ -3,6 +3,8 @@ Docker
 
 Ensures docker package or system container is installed, and optionally raises timeout for systemd-udevd.service to 5 minutes.
 
+daemon.json items may be found at https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file
+
 Requirements
 ------------
 
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index e60dbe2d6..0c2b16acf 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -5,12 +5,13 @@
 - include: udev_workaround.yml
   when: docker_udev_workaround | default(False) | bool
 
+- set_fact:
+    l_use_system_container: "{{ openshift.docker.use_system_container | default(False) }}"
+
 - name: Use Package Docker if Requested
   include: package_docker.yml
-  when: openshift.docker.use_system_container is not defined or openshift.docker.use_system_container == False
+  when: not l_use_system_container
 
 - name: Use System Container Docker if Requested
   include: systemcontainer_docker.yml
-  when:
-  - openshift.docker.use_system_container is defined
-  - openshift.docker.use_system_container is True
+  when: l_use_system_container
diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml
index 10fb5772c..e101730d2 100644
--- a/roles/docker/tasks/package_docker.yml
+++ b/roles/docker/tasks/package_docker.yml
@@ -46,7 +46,7 @@
     template:
       dest: "{{ docker_systemd_dir }}/custom.conf"
       src: custom.conf.j2
-  when: not os_firewall_use_firewalld | default(True) | bool
+  when: not os_firewall_use_firewalld | default(False) | bool
 
 - stat: path=/etc/sysconfig/docker
   register: docker_check
diff --git a/roles/docker/tasks/systemcontainer_docker.yml b/roles/docker/tasks/systemcontainer_docker.yml
index 6db95bf12..3af3e00b2 100644
--- a/roles/docker/tasks/systemcontainer_docker.yml
+++ b/roles/docker/tasks/systemcontainer_docker.yml
@@ -27,73 +27,91 @@
     state: present
   when: not openshift.common.is_atomic | bool
 
-# If we are on atomic, set http_proxy and https_proxy in /etc/atomic.conf
+# Make sure Docker is installed so we are able to use the client
+- name: Install Docker so we can use the client
+  package: name=docker{{ '-' + docker_version if docker_version is defined else '' }} state=present
+  when: not openshift.common.is_atomic | bool
+
+# Make sure docker is disabled. Errors are ignored.
+- name: Disable Docker
+  systemd:
+    name: docker
+    enabled: no
+    state: stopped
+    daemon_reload: yes
+  ignore_errors: True
+
+# Set http_proxy, https_proxy, and no_proxy in /etc/atomic.conf
+# regexp: the line starts with or without #, followed by the string
+#         http_proxy, then either : or =
 - block:
 
     - name: Add http_proxy to /etc/atomic.conf
       lineinfile:
-        path: /etc/atomic.conf
-        line: "http_proxy={{ openshift.common.http_proxy | default('') }}"
+        dest: /etc/atomic.conf
+        regexp: "^#?http_proxy[:=]{1}"
+        line: "http_proxy: {{ openshift.common.http_proxy | default('') }}"
       when:
         - openshift.common.http_proxy is defined
         - openshift.common.http_proxy != ''
 
     - name: Add https_proxy to /etc/atomic.conf
       lineinfile:
-        path: /etc/atomic.conf
-        line: "https_proxy={{ openshift.common.https_proxy | default('') }}"
+        dest: /etc/atomic.conf
+        regexp: "^#?https_proxy[:=]{1}"
+        line: "https_proxy: {{ openshift.common.https_proxy | default('') }}"
       when:
         - openshift.common.https_proxy is defined
         - openshift.common.https_proxy != ''
 
-  when: openshift.common.is_atomic | bool
-
+    - name: Add no_proxy to /etc/atomic.conf
+      lineinfile:
+        dest: /etc/atomic.conf
+        regexp: "^#?no_proxy[:=]{1}"
+        line: "no_proxy: {{ openshift.common.no_proxy | default('') }}"
+      when:
+        - openshift.common.no_proxy is defined
+        - openshift.common.no_proxy != ''
 
 - block:
 
     - name: Set to default prepend
       set_fact:
-        l_docker_image_prepend: "gscrivano/"
+        l_docker_image_prepend: "gscrivano"
 
     - name: Use Red Hat Registry for image when distribution is Red Hat
       set_fact:
-        l_docker_image_prepend: "registry.access.redhat.com/openshift3/"
+        l_docker_image_prepend: "registry.access.redhat.com/openshift3"
       when: ansible_distribution == 'RedHat'
 
     - name: Use Fedora Registry for image when distribution is Fedora
       set_fact:
-        l_docker_image_prepend: "registry.fedoraproject.org/"
+        l_docker_image_prepend: "registry.fedoraproject.org"
       when: ansible_distribution == 'Fedora'
 
     # For https://github.com/openshift/openshift-ansible/pull/4049#discussion_r114478504
     - name: Use a testing registry if requested
       set_fact:
-        l_docker_image_prepend: "{{ openshift.docker.systemcontainer_image_registry_override }}/"
+        l_docker_image_prepend: "{{ openshift_docker_systemcontainer_image_registry_override }}"
       when:
-        - openshift.docker.systemcontainer_image_registry_override is defined
-        - openshift.docker.systemcontainer_image_registry_override != ""
+        - openshift_docker_systemcontainer_image_registry_override is defined
+        - openshift_docker_systemcontainer_image_registry_override != ""
 
     - name: Set the full image name
       set_fact:
-        l_docker_image: "{{ l_docker_image_prepend }}container-engine-docker:latest"
+        l_docker_image: "{{ l_docker_image_prepend }}/{{ openshift.docker.service_name }}:latest"
 
+# NOTE: no_proxy added as a workaround until https://github.com/projectatomic/atomic/pull/999 is released
 - name: Pre-pull Container Enginer System Container image
   command: "atomic pull --storage ostree {{ l_docker_image }}"
   changed_when: false
+  environment:
+    NO_PROXY: "{{ openshift.common.no_proxy | default('') }}"
 
-# Make sure docker is disabled Errors are ignored as docker may not
-# be installed.
-- name: Disable Docker
-  systemd:
-    name: docker
-    enabled: no
-    state: stopped
-    daemon_reload: yes
-  ignore_errors: True
 
-- name: Ensure docker.service.d directory exists
+- name: Ensure container-engine.service.d directory exists
   file:
-    path: "{{ docker_systemd_dir }}"
+    path: "{{ container_engine_systemd_dir }}"
     state: directory
 
 - name: Ensure /etc/docker directory exists
@@ -103,21 +121,30 @@
 
 - name: Install Container Enginer System Container
   oc_atomic_container:
-    name: container-engine-docker
-    image: "container-engine-docker"
+    name: "{{ openshift.docker.service_name }}"
+    image: "{{ l_docker_image }}"
     state: latest
     values:
-      - "system-package no"
+      - "system-package=no"
 
 - name: Configure Container Engine Service File
   template:
-    dest: "{{ docker_systemd_dir }}/custom.conf"
+    dest: "{{ container_engine_systemd_dir }}/custom.conf"
     src: systemcontainercustom.conf.j2
 
+# Set local versions of facts that must be in json format for daemon.json
+# NOTE: When jinja2.9+ is used the daemon.json file can move to using tojson
+- set_fact:
+    l_docker_insecure_registries: "{{ docker_insecure_registries | default([]) | to_json }}"
+    l_docker_log_options: "{{ docker_log_options | default({}) | to_json }}"
+    l_docker_additional_registries: "{{ docker_additional_registries | default([]) | to_json }}"
+    l_docker_blocked_registries: "{{ docker_blocked_registries | default([]) | to_json }}"
+    l_docker_selinux_enabled: "{{ docker_selinux_enabled | default(true) | to_json }}"
+
 # Configure container-engine using the daemon.json file
 - name: Configure Container Engine
   template:
-    dest: "{{ docker_conf }}/daemon.json"
+    dest: "{{ docker_conf_dir }}/daemon.json"
     src: daemon.json
 
 # Enable and start the container-engine service
diff --git a/roles/docker/templates/daemon.json b/roles/docker/templates/daemon.json
index bd085d2be..a41b7cdbd 100644
--- a/roles/docker/templates/daemon.json
+++ b/roles/docker/templates/daemon.json
@@ -1,64 +1,20 @@
-
 {
-    "api-cors-header": "",
     "authorization-plugins": ["rhel-push-plugin"],
-    "bip": "",
-    "bridge": "",
-    "cgroup-parent": "",
-    "cluster-store": "",
-    "cluster-store-opts": {},
-    "cluster-advertise": "",
-    "debug": true,
-    "default-gateway": "",
-    "default-gateway-v6": "",
     "default-runtime": "oci",
-    "containerd": "/var/run/containerd.sock",
-    "default-ulimits": {},
+    "containerd": "/run/containerd.sock",
     "disable-legacy-registry": false,
-    "dns": [],
-    "dns-opts": [],
-    "dns-search": [],
     "exec-opts": ["native.cgroupdriver=systemd"],
-    "exec-root": "",
-    "fixed-cidr": "",
-    "fixed-cidr-v6": "",
-    "graph": "",
-    "group": "",
-    "hosts": [],
-    "icc": false,
-    "insecure-registries": {{ docker_insecure_registries|default([]) }},
-    "ip": "0.0.0.0",
-    "iptables": false,
-    "ipv6": false,
-    "ip-forward": false,
-    "ip-masq": false,
-    "labels": [],
-    "live-restore": true,
+    "insecure-registries": {{ l_docker_insecure_registries }},
+{% if docker_log_driver is defined  %}
     "log-driver": "{{ docker_log_driver }}",
-    "log-level": "",
-    "log-opts": {{ docker_log_options|default({}) }},
-    "max-concurrent-downloads": 3,
-    "max-concurrent-uploads": 5,
-    "mtu": 0,
-    "oom-score-adjust": -500,
-    "pidfile": "",
-    "raw-logs": false,
-    "registry-mirrors": [],
+{%- endif %}
+    "log-opts": {{ l_docker_log_options }},
     "runtimes": {
 	"oci": {
 	    "path": "/usr/libexec/docker/docker-runc-current"
 	}
     },
-    "selinux-enabled": {{ docker_selinux_enabled|default(true) }},
-    "storage-driver": "",
-    "storage-opts": [],
-    "tls": true,
-    "tlscacert": "",
-    "tlscert": "",
-    "tlskey": "",
-    "tlsverify": true,
-    "userns-remap": "",
-    "add-registry": {{  docker_additional_registries|default([]) }},
-    "blocked-registries": {{ docker_blocked_registries|defaukt([]) }},
-    "userland-proxy-path": "/usr/libexec/docker/docker-proxy-current"
+    "selinux-enabled": {{ l_docker_selinux_enabled | lower }},
+    "add-registry": {{ l_docker_additional_registries }},
+    "block-registry": {{ l_docker_blocked_registries }}
 }
diff --git a/roles/docker/templates/systemcontainercustom.conf.j2 b/roles/docker/templates/systemcontainercustom.conf.j2
index a2cfed8a9..86eebfba6 100644
--- a/roles/docker/templates/systemcontainercustom.conf.j2
+++ b/roles/docker/templates/systemcontainercustom.conf.j2
@@ -1,16 +1,16 @@
 # {{ ansible_managed }}
 
 [Service]
-{%- if docker_http_proxy %}
-ENVIRONMENT=HTTP_PROXY={{ docker_http_proxy }}
-{%- endif -%}
-{%- if docker_https_proxy %}
-ENVIRONMENT=HTTPS_PROXY={{ docker_http_proxy }}
-{%- endif -%}
-{%- if docker_no_proxy %}
-ENVIRONMENT=NO_PROXY={{ docker_no_proxy }}
-{%- endif %}
-{%- if os_firewall_use_firewalld|default(true) %}
+{% if "http_proxy" in openshift.common %}
+Environment=HTTP_PROXY={{ docker_http_proxy }}
+{% endif -%}
+{% if "https_proxy" in openshift.common %}
+Environment=HTTPS_PROXY={{ docker_http_proxy }}
+{% endif -%}
+{% if "no_proxy" in openshift.common %}
+Environment=NO_PROXY={{ docker_no_proxy }}
+{% endif %}
+{%- if os_firewall_use_firewalld|default(false) %}
 [Unit]
 Wants=iptables.service
 After=iptables.service
diff --git a/roles/docker/vars/main.yml b/roles/docker/vars/main.yml
index 0082ded1e..4e940b7f5 100644
--- a/roles/docker/vars/main.yml
+++ b/roles/docker/vars/main.yml
@@ -1,4 +1,5 @@
 ---
 docker_systemd_dir: /etc/systemd/system/docker.service.d
+container_engine_systemd_dir: /etc/systemd/system/container-engine.service.d
 docker_conf_dir: /etc/docker/
 udevw_udevd_dir: /etc/systemd/system/systemd-udevd.service.d