From 721941ce295edf228694376d4b22b6b5602c5d0c Mon Sep 17 00:00:00 2001
From: Sven-Hendrik Haase <svenstaro@gmail.com>
Date: Wed, 14 Oct 2020 19:58:47 +0200
Subject: [PATCH] gitlab-runners: Add IPv6 config to Docker

---
 roles/gitlab_runner/files/daemon.json |  4 ++++
 roles/gitlab_runner/handlers/main.yml |  3 +++
 roles/gitlab_runner/tasks/main.yml    | 19 +++++++++++++++++++
 3 files changed, 26 insertions(+)
 create mode 100644 roles/gitlab_runner/files/daemon.json

diff --git a/roles/gitlab_runner/files/daemon.json b/roles/gitlab_runner/files/daemon.json
new file mode 100644
index 000000000..db0df4ba3
--- /dev/null
+++ b/roles/gitlab_runner/files/daemon.json
@@ -0,0 +1,4 @@
+{
+	"ipv6": true,
+	"fixed-cidr-v6": "fd00::/80"
+}
diff --git a/roles/gitlab_runner/handlers/main.yml b/roles/gitlab_runner/handlers/main.yml
index 6c495b84c..966647565 100644
--- a/roles/gitlab_runner/handlers/main.yml
+++ b/roles/gitlab_runner/handlers/main.yml
@@ -1,2 +1,5 @@
 - name: restart gitlab-runner
   service: name=gitlab-runner state=restarted
+
+- name: restart docker
+  service: name=docker state=restarted
diff --git a/roles/gitlab_runner/tasks/main.yml b/roles/gitlab_runner/tasks/main.yml
index cebed672c..0237083e6 100644
--- a/roles/gitlab_runner/tasks/main.yml
+++ b/roles/gitlab_runner/tasks/main.yml
@@ -13,6 +13,25 @@
   tags:
     - firewall
 
+- name: configure Docker daemon for IPv6
+  copy: src=daemon.json dest=/etc/docker/daemon.json owner=root group=root mode=0644
+  notify: restart docker
+
+# We want to give our gitlab-runners full IPv6 capabilities. Sadly, IPv6 and Docker aren't friends. :(
+# https://medium.com/@skleeschulte/how-to-enable-ipv6-for-docker-containers-on-ubuntu-18-04-c68394a219a2
+# https://github.com/docker/docker.github.io/blob/c0eb65aabe4de94d56bbc20249179f626df5e8c3/engine/userguide/networking/default_network/ipv6.md
+# https://github.com/moby/moby/issues/36954
+- name: add IPv6 NAT for docker
+  ansible.posix.firewalld:
+    zone: public
+    permanent: true
+    state: enabled
+    immediate: yes
+    rich_rule: rule family="ipv6" destination not address="fd00::1/80" source address="fd00::/80" masquerade
+  when: configure_firewall
+  tags:
+    - firewall
+
 - name: register gitlab-runner
   command: >
     gitlab-runner register
-- 
GitLab