diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index e0232769f7..9a5684433d 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -105,6 +105,7 @@ docker_client_timeout: 120 # Docker networking options docker_disable_default_iptables_rules: "yes" docker_disable_default_network: "{{ docker_disable_default_iptables_rules }}" +docker_disable_ip_forward: "{{ docker_disable_default_iptables_rules }}" # Retention settings for Docker logs docker_log_max_file: "5" diff --git a/ansible/roles/baremetal/tasks/post-install.yml b/ansible/roles/baremetal/tasks/post-install.yml index 3d1123ba86..3061ad3e96 100644 --- a/ansible/roles/baremetal/tasks/post-install.yml +++ b/ansible/roles/baremetal/tasks/post-install.yml @@ -118,6 +118,20 @@ docker_config: "{{ docker_config | combine({'bridge': 'none'}) }}" when: docker_disable_default_network | bool +- name: Warn about docker ip_forward + debug: + msg: >- + Docker ip_forward will be disabled by default from the + Wallaby 12.0.0 release. If you have any non-Kolla containers that need + this functionality, you should plan a migration for this change, or set + docker_disable_ip_forward to false. + when: not docker_disable_ip_forward | bool + +- name: Disable docker ip_forward + set_fact: + docker_config: "{{ docker_config | combine({'ip-forward': false}) }}" + when: docker_disable_ip_forward | bool + - name: Merge custom docker config set_fact: docker_config: "{{ docker_config | combine(docker_custom_config) }}" diff --git a/releasenotes/notes/docker-disable-ip-forward-b0490b71f9f07cd6.yaml b/releasenotes/notes/docker-disable-ip-forward-b0490b71f9f07cd6.yaml new file mode 100644 index 0000000000..48c8823a23 --- /dev/null +++ b/releasenotes/notes/docker-disable-ip-forward-b0490b71f9f07cd6.yaml @@ -0,0 +1,9 @@ +--- +fixes: + - | + Adds a new flag, ``docker_disable_ip_forward``, which + defaults to ``docker_disable_default_iptables_rules`` and is used to + disable docker's ``ip-forward`` option which makes docker set + ``net.ipv4.ip_forward`` sysctl to ``1``. + This is to protect from creating all-forwarding hosts. + `LP#1931615 `__