[ansible][docker.py]Replace docker shell with connection plugin

[msosyak]

Description of PR

We are using a custom docker shell plugin to run tasks inside the container on the remote hosts. But shell plugins ware not made for this purpose. So I would recommend deprecate docker shell plugin and use native docker connection plugin.

To be able to use docker connection plugin to run tasks inside containers on the remote host we just should to:

• Have installed docker-ce-cli on ansible host
• Have generated ssh-key as docker cli is not able to establish ssh connection by user/password

Summary:
Replace docker shell plugin by native ansible docker connection plugin.
Fixes #1268

Type of change

• Bug fix
• Testbed and Framework(new/improvement)
• [] Test case(new/improvement)

Approach

Dynamically add needed containers to inventory and use delegate_to to run tasks inside containers.

How did you do it?

How did you verify/test it?

1. Install docker cli and generate shh-keys:

sudo apt-get update
sudo apt-get install \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg-agent \
    software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo apt-key fingerprint 0EBFCD88
sudo add-apt-repository \
   "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
   $(lsb_release -cs) \
   stable"
sudo apt-get update
sudo apt-get install  docker-ce-cli

ssh-keygen -q -t rsa -f $HOME/.ssh/id_rsa   -C "" -N ""

2. Run ecn_wred CT

Any platform specific information?

Supported testbed topology if it's a new test case?

Documentation

There are some articles found during the investigation:
https://medium.com/better-programming/docker-tips-access-the-docker-daemon-via-ssh-97cd6b44a53
https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html#non-ssh-connection-types
https://www.serverlab.ca/tutorials/containers/docker/how-to-access-remote-docker-daemon-using-ssh/
https://docs.ansible.com/ansible/latest/modules/authorized_key_module.html

[lguohan]

i think this is a more generic approach. @qiluo-msft , what do you think?

[lguohan]

@msosyak , can you add the docker-ce-cli installation in the sonic-mgmt docker so that we will have docker command in the sonic-mgmt docker. https://github.com/Azure/sonic-buildimage/blob/master/dockers/docker-sonic-mgmt/Dockerfile.j2

[lguohan]

@msosyak, can you resolve the conflict?

[msosyak]

@lguohan Conflict resolved.
docker-ce-cli added to sonic-mgmt: sonic-net/sonic-buildimage#3868

[qiluo-msft]

key [](start = 4, length = 3)

You can get key from previous openssh_keypair return values. #Closed

[msosyak]

Yes

[qiluo-msft]

Thanks for your refinement! I feel public_key is just more straightforward.

---

In reply to: 356376796 [](ancestors = 356376796)

[msosyak]

I do not choose the name of the public key file.

"Name of the files containing the public and private key. The file containing the public key will have the extension .pub. "
https://docs.ansible.com/ansible/latest/modules/openssh_keypair_module.html#parameters

[qiluo-msft]

Maybe there is some miscommunication. I suggest

    key: out.public_key

Could you help explorer this one? Seems it is designed just for this purpose.

---

In reply to: 356776386 [](ancestors = 356776386,356376796)

[msosyak]

Oh, yes, I missed this option. Changed.

[qiluo-msft]

Can we move this part into add_container_to_inventory, add with_items for all containers? #Closed

[msosyak]

Yes, we can, but I do not see the reason for that. There are only two places where we add more than one container.

[qiluo-msft]

I mean if we move every include_task: add_container_to_inventory into inside that file with all the known container names, we can keep other files clean, only include_tasks once.

---

In reply to: 356377776 [](ancestors = 356377776)

[msosyak]

We do not use it in all test cases, so I do not see the reason to implicitly add all containers to inventory.

[qiluo-msft]

As comments

[qiluo-msft]

One remaining minor issue: #1269 (review). Otherwise it looks good to me.