Merge "Disable docker's ip-forward when iptables disabled"

ansible/group_vars/all.yml

@@ -105,6 +105,7 @@ docker_client_timeout: 120
 # Docker networking options
 docker_disable_default_iptables_rules: "yes"
 docker_disable_default_network: "{{ docker_disable_default_iptables_rules }}"
+docker_disable_ip_forward: "{{ docker_disable_default_iptables_rules }}"
 
 # Retention settings for Docker logs
 docker_log_max_file: "5"

ansible/roles/baremetal/tasks/post-install.yml

@@ -118,6 +118,20 @@
     docker_config: "{{ docker_config | combine({'bridge': 'none'}) }}"
   when: docker_disable_default_network | bool
 
+- name: Warn about docker ip_forward
+  debug:
+    msg: >-
+      Docker ip_forward will be disabled by default from the
+      Wallaby 12.0.0 release. If you have any non-Kolla containers that need
+      this functionality, you should plan a migration for this change, or set
+      docker_disable_ip_forward to false.
+  when: not docker_disable_ip_forward | bool
+
+- name: Disable docker ip_forward
+  set_fact:
+    docker_config: "{{ docker_config | combine({'ip-forward': false}) }}"
+  when: docker_disable_ip_forward | bool
+
 - name: Merge custom docker config
   set_fact:
     docker_config: "{{ docker_config | combine(docker_custom_config) }}"

releasenotes/notes/docker-disable-ip-forward-b0490b71f9f07cd6.yaml

@@ -0,0 +1,9 @@
+---
+fixes:
+  - |
+    Adds a new flag, ``docker_disable_ip_forward``, which
+    defaults to ``docker_disable_default_iptables_rules`` and is used to
+    disable docker's ``ip-forward`` option which makes docker set
+    ``net.ipv4.ip_forward`` sysctl to ``1``.
+    This is to protect from creating all-forwarding hosts.
+    `LP#1931615 <https://launchpad.net/bugs/1931615>`__