From aec027c435b8cbaaa22ecebf36c1b79764c01bc7 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Mon, 14 Sep 2020 14:38:16 +0100 Subject: [PATCH] Disable Docker iptables and bridge networking by default In I165199fc98fb98f227f2a20284e1bab03ef65b5b and Ic745300b27e50132d80d03787fa4abfada2d0173 we provided flags to disable Docker's control of iptables and bridge networking respectively. The original behaviour was maintained for backwards compatibility, to allow the patches to be backported. This patch changes the default behaviour to disable the manipulation of iptables and disabling bridge networking. Related-Bug: #1849275 Related-Bug: #1848249 Change-Id: I4e8206f13a847ff79e06c36d22068597458b6c3d --- ansible/group_vars/all.yml | 2 +- .../disable-docker-iptables-bridge-493feb35cba4c405.yaml | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/disable-docker-iptables-bridge-493feb35cba4c405.yaml diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 1b23b6416b..fac4d01907 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -103,7 +103,7 @@ docker_runtime_directory: "" docker_client_timeout: 120 # Docker networking options -docker_disable_default_iptables_rules: "no" +docker_disable_default_iptables_rules: "yes" docker_disable_default_network: "{{ docker_disable_default_iptables_rules }}" # Retention settings for Docker logs diff --git a/releasenotes/notes/disable-docker-iptables-bridge-493feb35cba4c405.yaml b/releasenotes/notes/disable-docker-iptables-bridge-493feb35cba4c405.yaml new file mode 100644 index 0000000000..fc3a909835 --- /dev/null +++ b/releasenotes/notes/disable-docker-iptables-bridge-493feb35cba4c405.yaml @@ -0,0 +1,9 @@ +--- +upgrade: + - | + Docker iptables manipulation and bridge networking are now disabled by + default. This avoids problems that may be caused by Docker settings the + default policy of the ``FORWARD`` chain in the ``filter`` table to + ``DROP``. To revert to the previous behaviour, set + ``docker_disable_default_iptables_rules`` to ``no``. This sets the default + of ``docker_disable_default_network``.