baremetal: Don't start Docker after install on Debian/Ubuntu

docker-ce on Debian/Ubuntu gets started just after installation, before baremetal role configures daemon.json - which results in iptables rules being implemented - but not removed on docker engine restart. Closes-Bug: #1923203 Change-Id: Ib1faa092e0b8f0668d1752490a34d0c2165d58d2
2021-04-23 12:41:43 +02:00 · 2021-04-23 12:41:43 +02:00 · bc96179195
commit bc96179195
parent 058dd6828d
3 changed files with 34 additions and 4 deletions
--- a/ansible/roles/baremetal/tasks/install.yml
+++ b/ansible/roles/baremetal/tasks/install.yml
@ -46,6 +46,26 @@
  changed_when: false
  register: running_containers

+# APT starts Docker engine right after installation, which creates
+# iptables rules before we disable iptables in Docker config
+
+- name: Check if docker systemd unit exists
+  stat:
+    path: /etc/systemd/system/docker.service
+  register: docker_unit_file
+
+- name: Mask the docker systemd unit on Debian/Ubuntu
+  file:
+    src: /dev/null
+    dest: /etc/systemd/system/docker.service
+    owner: root
+    group: root
+    state: link
+  become: true
+  when:
+    - ansible_os_family == 'Debian'
+    - not docker_unit_file.stat.exists
+
 - name: Install apt packages
  package:
    name: "{{ (debian_pkg_install | join(' ')).split() }}"
@ -78,10 +98,11 @@
    # At some point (at least on CentOS 7) Docker CE stopped starting
    # automatically after an upgrade from legacy docker . Start it manually.
    - name: Start docker
-      service:
+      systemd:
        name: docker
        state: started
        enabled: yes
+        masked: no
      become: True

    - name: Wait for Docker to start
--- a/ansible/roles/baremetal/tasks/post-install.yml
+++ b/ansible/roles/baremetal/tasks/post-install.yml
@ -224,22 +224,25 @@
  when: create_kolla_user | bool

 - name: Start docker
-  service:
+  systemd:
    name: docker
    state: started
+    masked: no
  become: True

 - name: Restart docker
-  service:
+  systemd:
    name: docker
    state: restarted
+    masked: no
  become: True
  when: docker_configured.changed or docker_reloaded.changed

 - name: Enable docker
-  service:
+  systemd:
    name: docker
    enabled: yes
+    masked: no
  become: True

 - name: Stop time service
--- a/releasenotes/notes/bug-1923203-f9ff247befc4bd75.yaml
+++ b/releasenotes/notes/bug-1923203-f9ff247befc4bd75.yaml
@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixed an issue when Docker was configured after startup on Debian/Ubuntu,
+    which resulted in iptables rules being created - before they were disabled.
+    `LP#1923203 <https://launchpad.net/bugs/1923203>`__