cisagov · jsf9k · Jan 14, 2025 · Dec 20, 2024 · Dec 27, 2024 · Dec 27, 2024
@@ -0,0 +1,4 @@
+---
+- name: Update the apt package cache
+  ansible.builtin.apt:
+    update_cache: true
@@ -1,4 +1,16 @@
 ---
+- name: Load var file based on the OS type
+  ansible.builtin.include_vars:
+    file: "{{ lookup('first_found', params) }}"
+  vars:
+    params:
+      files:
+        - "{{ ansible_distribution }}_{{ ansible_distribution_release }}.yml"
+        - "{{ ansible_distribution }}.yml"
+        - "{{ ansible_os_family }}.yml"
+      paths:
+        - "{{ role_path }}/vars"
+
 - name: Load setup tasks file for adding the official Docker repo
   ansible.builtin.include_tasks:
     file: "{{ lookup('first_found', params) }}"
@@ -15,22 +27,10 @@
     # Fedora.
     - ansible_os_family == "Debian" or ansible_distribution == "Fedora"
 
-- name: Load var file with package names based on the OS type
-  ansible.builtin.include_vars:
-    file: "{{ lookup('first_found', params) }}"
-  vars:
-    params:
-      files:
-        - "{{ ansible_distribution }}_{{ ansible_distribution_release }}.yml"
-        - "{{ ansible_distribution }}.yml"
-        - "{{ ansible_os_family }}.yml"
-      paths:
-        - "{{ role_path }}/vars"
-
 - name: >
     Install Docker, Docker Compose, and the Docker Python library
   ansible.builtin.package:
-    name: "{{ package_names }}"
+    name: "{{ docker_prerequisites }}"
 
 # Amazon Linux 2023 does not (yet?) offer docker-compose or the
 # Docker Compose plugin, so we grab it from GitHub:
@@ -46,7 +46,6 @@
 - name: Systemd daemon-reload
   ansible.builtin.systemd:
     daemon_reload: true
-  when: ansible_service_mgr == "systemd"
 
 - name: Enable docker
   ansible.builtin.service:

@@ -13,42 +13,48 @@
       - runc
     state: absent
 
-- name: Add official Docker repo (Debian, not Kali)
+- name: Install prerequisites so apt can use a repo over HTTPS
+  ansible.builtin.package:
+    name: "{{ apt_over_https_prerequisites }}"
+
+# Debian Buster does not support DEB822 repos, so we have to treat it
+# as a special case.
+- name: Add official Docker repo (Debian Buster)
   when:
-    - ansible_distribution | lower != "kali"
+    - ansible_distribution_release == "buster"
   block:
-    - name: Install prerequisites so apt can use a repo over HTTPS (Debian, not Kali)
-      ansible.builtin.package:
-        name:
-          - apt-transport-https
-          - ca-certificates
-          - curl
-          - gnupg2
-          - lsb-release
-          - software-properties-common
-    - name: Get official Docker repo GPG key (Debian, not Kali)
+    - name: Get official Docker repo GPG key
       ansible.builtin.apt_key:
-        url: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg
-    - name: Add the official Docker repo (Debian, not Kali)
+        url: https://download.docker.com/linux/{{ apt_distro }}/gpg
+    - name: Add the official Docker repo
       ansible.builtin.apt_repository:
-        repo: deb https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable
+        repo: deb https://download.docker.com/linux/{{ apt_distro }} {{ apt_distro_release }} stable
+    # ansible.builtin.apt_repository updates the package cache so
+    # there is no need to do it explicitly.
 
-- name: Add official Docker repo (Kali)
+- name: Add official Docker repo
   when:
-    - ansible_distribution | lower == "kali"
+    - ansible_distribution_release != "buster"
   block:
-    - name: Install prerequisites so apt can use a repo over HTTPS (Kali)
+    - name: Install prerequisites so apt can use DEB822 repos
       ansible.builtin.package:
         name:
-          - apt-transport-https
-          - ca-certificates
-          - curl
-          - gnupg2
-          - lsb-release
-    # Use Debian Bookworm for Kali
-    - name: Get official Docker repo GPG key (Kali)
-      ansible.builtin.apt_key:
-        url: https://download.docker.com/linux/debian/gpg
-    - name: Add the official Docker repo (Kali)
-      ansible.builtin.apt_repository:
-        repo: deb https://download.docker.com/linux/debian bookworm stable
+          - python3-debian
+    - name: Add the official Docker repo
+      ansible.builtin.deb822_repository:
+        components:
+          - stable
+        name: docker
+        signed_by: https://download.docker.com/linux/{{ apt_distro }}/gpg
+        suites:
+          - "{{ apt_distro_release }}"
+        uris:
+          - https://download.docker.com/linux/{{ apt_distro }}
+      notify:
+        - Update the apt package cache
+    # We need the handler that updates the apt package cache to run
+    # now if it is necessary.  It is required by the parent playbook
+    # since it will attempt to install the packages from the new apt
+    # package repo.
+    - name: Flush handlers
+      ansible.builtin.meta: flush_handlers
@@ -1,6 +1,6 @@
 ---
-# The system packages to install.  Note that python-docker is not
-# available on Amazon Linux 2023:
+# The system packages required for Docker.  Note that python-docker is
+# not available on Amazon Linux 2023:
 # https://docs.aws.amazon.com/linux/al2023/release-notes/all-packages-al2023-20230419.html
-package_names:
+docker_prerequisites:
   - docker
@@ -1,8 +1,24 @@
 ---
-# The system packages to install
+# The Linux distribution to use when configuring a Debian repo.
+apt_distro: "{{ ansible_distribution | lower }}"
+
+# The release of the Linux distribution to use when configuring a
+# Debian repo.
+apt_distro_release: "{{ ansible_distribution_release }}"
+
+# The system packages required for apt-over-https.
+apt_over_https_prerequisites:
+  - apt-transport-https
+  - ca-certificates
+  - curl
+  - gnupg2
+  - lsb-release
+  - software-properties-common
+
+# The system packages required for Docker.
 #
 # https://docs.docker.com/engine/install/debian/
-package_names:
+docker_prerequisites:
   - containerd.io
   - docker-buildx-plugin
   - docker-ce

@@ -0,0 +1,42 @@
+---
+# The Linux distribution to use when configuring a Debian repo.  Note
+# that we force Kali to use Debian Bookworm.  This is because Docker
+# does not provide an official package for Kali or Debian Testing (on
+# which Kali is based), but it does support Bookworm which is close
+# enough to work.
+apt_distro: debian
+
+# The release of the Linux distribution to use when configuring a
+# Debian repo.  Note that we force Kali to use Debian Bookworm.  This
+# is because Docker does not provide an official package for Kali or
+# Debian Testing (on which Kali is based), but it does support
+# Bookworm which is close enough to work.
+apt_distro_release: bookworm
+
+# The system packages required for apt-over-https.
+apt_over_https_prerequisites:
+  - apt-transport-https
+  - ca-certificates
+  - curl
+  - gnupg2
+  - lsb-release
+  # This package is not available on Kali, but whatever it installs
+  # seems to already be present.
+  # - software-properties-common
+
+# The system packages required for Docker.
+#
+# https://docs.docker.com/engine/install/debian/
+docker_prerequisites:
+  - containerd.io
+  - docker-buildx-plugin
+  - docker-ce
+  - docker-ce-cli
+  - docker-compose-plugin
+  # This package is required to avoid an issue with docker compose
+  # pull.  See the following for more information:
+  # - https://github.com/docker/compose/issues/9560
+  # - https://github.com/docker/compose/issues/6023
+  # - https://docs.docker.com/engine/reference/commandline/login/
+  - pass
+  - python3-docker