diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 9c4a3b3b9a..5c74fb275e 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -99,6 +99,9 @@ docker_runtime_directory: "" # Docker client timeout in seconds. docker_client_timeout: 120 +# Docker networking options +docker_disable_default_iptables_rules: "no" + # Retention settings for Docker logs docker_log_max_file: "5" docker_log_max_size: "50m" diff --git a/ansible/roles/baremetal/tasks/post-install.yml b/ansible/roles/baremetal/tasks/post-install.yml index 2616a97344..5fdc471b0e 100644 --- a/ansible/roles/baremetal/tasks/post-install.yml +++ b/ansible/roles/baremetal/tasks/post-install.yml @@ -90,6 +90,19 @@ docker_config: "{{ docker_config | combine({'data-root': docker_runtime_directory}) }}" when: docker_runtime_directory | length > 0 +- name: Warn about docker default iptables + debug: + msg: >- + Docker default iptables rules will be disabled by default from the Victoria 11.0.0 + release. If you have any non-Kolla containers that need this functionality, you should + plan a migration for this change, or set docker_disable_default_iptables_rules to false. + when: not docker_disable_default_iptables_rules | bool + +- name: Disable docker default iptables rules + set_fact: + docker_config: "{{ docker_config | combine({'iptables': false}) }}" + when: docker_disable_default_iptables_rules | bool + - name: Merge custom docker config set_fact: docker_config: "{{ docker_config | combine(docker_custom_config) }}" diff --git a/releasenotes/notes/docker-disable-iptables-e9a248a0515f30a6.yaml b/releasenotes/notes/docker-disable-iptables-e9a248a0515f30a6.yaml new file mode 100644 index 0000000000..9c2bb93526 --- /dev/null +++ b/releasenotes/notes/docker-disable-iptables-e9a248a0515f30a6.yaml @@ -0,0 +1,12 @@ +--- +features: + - | + Adds a new flag, ``docker_disable_default_iptables_rules``, which + defaults to ``no``. Docker is manipulating iptables rules by + default to provide network isolation, and this might cause + problems if the host already has an iptables based firewall. + A common problem is that Docker sets the default policy of the + ``FORWARD`` chain in the ``filter`` to ``DROP``. + Setting ``docker_disable_default_iptables_rules`` to ``yes`` + will disable Docker's iptables manipulation. This feature will be + enabled by default from the Victoria 11.0.0 release.