From 9973a62c1685a0043fba44c1eba708884d8f9789 Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Tue, 10 May 2022 19:04:58 +0200
Subject: [PATCH] docker : Introduce new variables to tweak daemon settings

---
 CHANGELOG.md                         |  4 +++-
 docker-host/defaults/main.yml        | 16 +++++++++++++---
 docker-host/templates/daemon.json.j2 | 15 +++++++++++++++
 3 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 383965e1..a2c6da45 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,9 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Added
 
+* docker : Introduce new default settings + allow to change the docker data directory 
+* docker : Introduce new variables to tweak daemon settings
+
 ### Changed
 
 ### Fixed
@@ -19,7 +22,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
 ### Removed
 
 * docker : Removed Debian Jessie support
-* docker : Introduce new default settings + allow to change the docker data directory 
 
 ### Security
 
diff --git a/docker-host/defaults/main.yml b/docker-host/defaults/main.yml
index 913da884..5b64f342 100644
--- a/docker-host/defaults/main.yml
+++ b/docker-host/defaults/main.yml
@@ -1,13 +1,23 @@
 ---
-# If docher_home sets to /home/, the partition should be mounted with exec
-# option.
+# If docher_home sets to /home/, the partition should be mounted with exec option.
 docker_home: /var/lib/docker
 docker_tmpdir: "{{docker_home}}/tmp"
 
-docker_remote_access_enabled: True
+# Chose to use iptables instead of docker-proxy userland process
+docker_conf_use_iptables: False
+
+# Disable the possibility for containers processes to gain new privileges
+docker_conf_no_newprivileges: False
+
+# Disable all default network connectivity
+docker_conf_disable_default_networking: False
+
+# Remote access
+docker_remote_access_enabled: False
 docker_daemon_port: 2376
 docker_daemon_listening_ip: 0.0.0.0
 
+# TLS 
 docker_tls_enabled: False
 docker_tls_path: "{{docker_home}}/tls"
 docker_tls_ca: ca/ca.pem
diff --git a/docker-host/templates/daemon.json.j2 b/docker-host/templates/daemon.json.j2
index ee9be3c8..c73268d9 100644
--- a/docker-host/templates/daemon.json.j2
+++ b/docker-host/templates/daemon.json.j2
@@ -10,6 +10,21 @@
   {# Turn on user namespace remaping #}
   "userns-remap": "default",
 
+  {% if docker_conf_use_iptables %}
+  {# Use iptables instead of docker-proxy #}
+  "userland-proxy": false,
+  "iptables": true,
+  {% endif %}
+
+  {# Disable the possibility for containers processes to gain new privileges #}
+  "no-new-privileges": {{ docker_conf_no_newprivileges | to_json }},
+
+  {% if docker_conf_disable_default_networking %}
+  {# Disable all default network connectivity #}
+  "bridge": "none",
+  "icc": false,
+  {% endif %}
+
   {% if docker_tls_enabled %}
   "tls": true,
   "tlscert": "{{ docker_tls_path }}/{{ docker_tls_cert }}",