From bc96179195de171a693b83405a472dddda596bff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Nasiadka?= <mnasiadka@gmail.com>
Date: Fri, 23 Apr 2021 12:41:43 +0200
Subject: [PATCH] baremetal: Don't start Docker after install on Debian/Ubuntu

docker-ce on Debian/Ubuntu gets started just after installation, before
baremetal role configures daemon.json - which results in iptables rules
being implemented - but not removed on docker engine restart.

Closes-Bug: #1923203

Change-Id: Ib1faa092e0b8f0668d1752490a34d0c2165d58d2
---
 ansible/roles/baremetal/tasks/install.yml     | 23 ++++++++++++++++++-
 .../roles/baremetal/tasks/post-install.yml    |  9 +++++---
 .../notes/bug-1923203-f9ff247befc4bd75.yaml   |  6 +++++
 3 files changed, 34 insertions(+), 4 deletions(-)
 create mode 100644 releasenotes/notes/bug-1923203-f9ff247befc4bd75.yaml

diff --git a/ansible/roles/baremetal/tasks/install.yml b/ansible/roles/baremetal/tasks/install.yml
index e2fbf91618..3a2e70dc6b 100644
--- a/ansible/roles/baremetal/tasks/install.yml
+++ b/ansible/roles/baremetal/tasks/install.yml
@@ -46,6 +46,26 @@
   changed_when: false
   register: running_containers
 
+# APT starts Docker engine right after installation, which creates
+# iptables rules before we disable iptables in Docker config
+
+- name: Check if docker systemd unit exists
+  stat:
+    path: /etc/systemd/system/docker.service
+  register: docker_unit_file
+
+- name: Mask the docker systemd unit on Debian/Ubuntu
+  file:
+    src: /dev/null
+    dest: /etc/systemd/system/docker.service
+    owner: root
+    group: root
+    state: link
+  become: true
+  when:
+    - ansible_os_family == 'Debian'
+    - not docker_unit_file.stat.exists
+
 - name: Install apt packages
   package:
     name: "{{ (debian_pkg_install | join(' ')).split() }}"
@@ -78,10 +98,11 @@
     # At some point (at least on CentOS 7) Docker CE stopped starting
     # automatically after an upgrade from legacy docker . Start it manually.
     - name: Start docker
-      service:
+      systemd:
         name: docker
         state: started
         enabled: yes
+        masked: no
       become: True
 
     - name: Wait for Docker to start
diff --git a/ansible/roles/baremetal/tasks/post-install.yml b/ansible/roles/baremetal/tasks/post-install.yml
index d646c0139c..c706ec4e70 100644
--- a/ansible/roles/baremetal/tasks/post-install.yml
+++ b/ansible/roles/baremetal/tasks/post-install.yml
@@ -224,22 +224,25 @@
   when: create_kolla_user | bool
 
 - name: Start docker
-  service:
+  systemd:
     name: docker
     state: started
+    masked: no
   become: True
 
 - name: Restart docker
-  service:
+  systemd:
     name: docker
     state: restarted
+    masked: no
   become: True
   when: docker_configured.changed or docker_reloaded.changed
 
 - name: Enable docker
-  service:
+  systemd:
     name: docker
     enabled: yes
+    masked: no
   become: True
 
 - name: Stop time service
diff --git a/releasenotes/notes/bug-1923203-f9ff247befc4bd75.yaml b/releasenotes/notes/bug-1923203-f9ff247befc4bd75.yaml
new file mode 100644
index 0000000000..6073ed7b15
--- /dev/null
+++ b/releasenotes/notes/bug-1923203-f9ff247befc4bd75.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixed an issue when Docker was configured after startup on Debian/Ubuntu,
+    which resulted in iptables rules being created - before they were disabled.
+    `LP#1923203 <https://launchpad.net/bugs/1923203>`__