Automating rootless Docker host updates with Ansible

Summary

Automating rootless Docker host updates with Ansible Published: 2025-11-15, Revised: 2025-11-15 TL;DR Running apt upgrade on hosts with rootless Docker services can break them. A version mismatch occurs between the running user daemon and the newly upgraded system binaries, causing containers to fail on restart. This post provides an ansible playbook that detects critical package changes and automatically restarts only the necessary rootless user daemons, preventing downtime and manual intervention. Info This playbook is the result of a deep-dive into a specific failure mode of the rootless Docker architecture. For context on the initial setup, please see my previous posts on setting up rootless Docker for services like Mastodon. Motivation As detailed in my rootless Docker setup guide, this architecture provides pretty good security isolation. However, it has a vulnerability: When system packages provided by docker-ce-rootless-extras (like containerd and its shims) are upgraded via apt, the running user-level Docker daemons become outdated. This leads to a version mismatch. When a container is restarted, the old daemon tries to use the new on-disk shim, which causes a fatal error (e.g. unsupported shim version (3): not implemented). The solution is to restart the user's Docker daemon after every critical update, which is a perfect task for automation via ansible. Ansible Playbook This playbook automates the entire update and remediation process. It's designed to be run daily via a cron job, staying silent unless it needs to take action. The Playbook: apt.yaml Click to view --- - hosts: ubuntu, debian become: yes become_method: sudo vars: ansible_pipelining: true ansible_ssh_common_args: '-o ControlMaster=auto -o ControlPersist=60s' # This forces Ansible to use /tmp for its temporary files, avoiding # any permission issues when becoming a non-root user. ansible_remote_tmp: /tmp # critical package that require a docker restart critical_docker_packages: - docker-ce - ...