community.docker.docker_api connection – Run tasks in docker containers

Note

This connection plugin is part of the community.docker collection (version 4.1.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.docker. You need further requirements to be able to use this connection plugin, see Requirements for details.

To use it in a playbook, specify: community.docker.docker_api.

New in community.docker 1.1.0

Synopsis

  • Run commands or put/fetch files to an existing docker container.

  • Uses the requests library to interact directly with the Docker daemon instead of using the Docker CLI. Use the community.docker.docker connection plugin if you want to use the Docker CLI.

Requirements

The below requirements are needed on the local controller node that executes this connection.

  • requests

  • pywin32 (when using named pipes on Windows 32)

  • paramiko (when using SSH with use_ssh_client=false)

  • pyOpenSSL (when using TLS)

  • backports.ssl_match_hostname (when using TLS on Python 2)

Parameters

Parameter

Comments

api_version

aliases: docker_api_version

string

The version of the Docker API running on the Docker Host.

Defaults to the latest version of the API supported by this collection and the docker daemon.

If the value is not specified in the task, the value of environment variable DOCKER_API_VERSION will be used instead. If the environment variable is not set, the default value will be used.

Default: "auto"

Configuration:

  • Variable: ansible_docker_api_version

ca_path

aliases: ca_cert, tls_ca_cert, cacert_path

path

Use a CA certificate when performing server verification by providing the path to a CA certificate file.

If the value is not specified in the task and the environment variable DOCKER_CERT_PATH is set, the file ca.pem from the directory specified in the environment variable DOCKER_CERT_PATH will be used.

This option was called ca_cert and got renamed to ca_path in community.docker 3.6.0. The old name has been added as an alias and can still be used.

Configuration:

  • Variable: ansible_docker_ca_cert

  • Variable: ansible_docker_ca_path

    added in community.docker 3.6.0

client_cert

aliases: tls_client_cert, cert_path

path

Path to the client’s TLS certificate file.

If the value is not specified in the task and the environment variable DOCKER_CERT_PATH is set, the file cert.pem from the directory specified in the environment variable DOCKER_CERT_PATH will be used.

Configuration:

  • Variable: ansible_docker_client_cert

client_key

aliases: tls_client_key, key_path

path

Path to the client’s TLS key file.

If the value is not specified in the task and the environment variable DOCKER_CERT_PATH is set, the file key.pem from the directory specified in the environment variable DOCKER_CERT_PATH will be used.

Configuration:

  • Variable: ansible_docker_client_key

container_timeout

integer

Controls how long we can wait to access reading output from the container once execution started.

Default: 10

Configuration:

  • INI entries:

    [defaults]
    timeout = 10
    
    [docker_connection]
    timeout = 10
    

    added in community.docker 2.2.0

  • Environment variable: ANSIBLE_TIMEOUT

  • Environment variable: ANSIBLE_DOCKER_TIMEOUT

    added in community.docker 2.2.0

  • Variable: ansible_docker_timeout

    added in community.docker 2.2.0

  • CLI argument: –timeout

debug

boolean

Debug mode

Choices:

  • false ← (default)

  • true

docker_host

aliases: docker_url

string

The URL or Unix socket path used to connect to the Docker API. To connect to a remote host, provide the TCP connection string. For example, tcp://192.0.2.23:2376. If TLS is used to encrypt the connection, the module will automatically replace tcp in the connection URL with https.

If the value is not specified in the task, the value of environment variable DOCKER_HOST will be used instead. If the environment variable is not set, the default value will be used.

Default: "unix:///var/run/docker.sock"

Configuration:

  • Variable: ansible_docker_docker_host

extra_env

dictionary

added in community.docker 3.12.0

Provide extra environment variables to set when running commands in the Docker container.

This option can currently only be provided as Ansible variables due to limitations of ansible-core’s configuration manager.

Configuration:

  • Variable: ansible_docker_extra_env

privileged

boolean

added in community.docker 3.12.0

Whether commands should be run with extended privileges.

Note that this allows command to potentially break out of the container. Use with care!

Choices:

  • false ← (default)

  • true

Configuration:

  • INI entry:

    [docker_connection]
    privileged = false
    
  • Environment variable: ANSIBLE_DOCKER_PRIVILEGED

  • Variable: ansible_docker_privileged

remote_addr

string

The name of the container you want to access.

Default: "inventory_hostname"

Configuration:

  • Variable: inventory_hostname

  • Variable: ansible_host

  • Variable: ansible_docker_host

remote_user

string

The user to execute as inside the container.

Configuration:

  • INI entry:

    [defaults]
    remote_user = VALUE
    
  • Environment variable: ANSIBLE_REMOTE_USER

  • Variable: ansible_user

  • Variable: ansible_docker_user

  • Keyword: remote_user

  • CLI argument: –user

timeout

integer

The maximum amount of time in seconds to wait on a response from the API.

If the value is not specified in the task, the value of environment variable DOCKER_TIMEOUT will be used instead. If the environment variable is not set, the default value will be used.

Default: 60

Configuration:

  • Variable: ansible_docker_timeout

tls

boolean

Secure the connection to the API by using TLS without verifying the authenticity of the Docker host server. Note that if validate_certs is set to true as well, it will take precedence.

If the value is not specified in the task, the value of environment variable DOCKER_TLS will be used instead. If the environment variable is not set, the default value will be used.

Choices:

  • false ← (default)

  • true

Configuration:

  • Variable: ansible_docker_tls

tls_hostname

string

When verifying the authenticity of the Docker Host server, provide the expected name of the server.

If the value is not specified in the task, the value of environment variable DOCKER_TLS_HOSTNAME will be used instead. If the environment variable is not set, the default value will be used.

Note that this option had a default value localhost in older versions. It was removed in community.docker 3.0.0.

Configuration:

  • Variable: ansible_docker_tls_hostname

use_ssh_client

boolean

added in community.docker 1.5.0

For SSH transports, use the ssh CLI tool instead of paramiko.

Choices:

  • false ← (default)

  • true

validate_certs

aliases: tls_verify

boolean

Secure the connection to the API by using TLS and verifying the authenticity of the Docker host server.

If the value is not specified in the task, the value of environment variable DOCKER_TLS_VERIFY will be used instead. If the environment variable is not set, the default value will be used.

Choices:

  • false ← (default)

  • true

Configuration:

  • Variable: ansible_docker_validate_certs

working_dir

string

added in community.docker 3.12.0

The directory inside the container to run commands in.

Requires Docker API version 1.35 or later.

Configuration:

  • INI entry:

    [docker_connection]
    working_dir = VALUE
    
  • Environment variable: ANSIBLE_DOCKER_WORKING_DIR

  • Variable: ansible_docker_working_dir

Notes

Note

Authors

  • Felix Fontein (@felixfontein)

Hint

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.