From fc7ce6cabe3c1379cd6871a699862cf89b727b75 Mon Sep 17 00:00:00 2001 From: Dincer Celik Date: Wed, 30 Oct 2019 10:10:34 +0300 Subject: [PATCH] [docker] Added a new flag to disable default iptables rules Docker is manipulating iptables rules by default to provide network isolation, and this might cause problems if the host already has an iptables-based firewall. This change introduces docker_disable_default_iptables_rules to disable the iptables manipulation by putting "iptables: false" [1] to daemon.json For better defaults, this feature will be enabled by default in Victoria. [1] https://docs.docker.com/network/iptables/ Closes-Bug: #1849275 Change-Id: I165199fc98fb98f227f2a20284e1bab03ef65b5b --- ansible/group_vars/all.yml | 3 +++ ansible/roles/baremetal/tasks/post-install.yml | 13 +++++++++++++ .../docker-disable-iptables-e9a248a0515f30a6.yaml | 12 ++++++++++++ 3 files changed, 28 insertions(+) create mode 100644 releasenotes/notes/docker-disable-iptables-e9a248a0515f30a6.yaml diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 9c4a3b3b9a..5c74fb275e 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -99,6 +99,9 @@ docker_runtime_directory: "" # Docker client timeout in seconds. docker_client_timeout: 120 +# Docker networking options +docker_disable_default_iptables_rules: "no" + # Retention settings for Docker logs docker_log_max_file: "5" docker_log_max_size: "50m" diff --git a/ansible/roles/baremetal/tasks/post-install.yml b/ansible/roles/baremetal/tasks/post-install.yml index 2616a97344..5fdc471b0e 100644 --- a/ansible/roles/baremetal/tasks/post-install.yml +++ b/ansible/roles/baremetal/tasks/post-install.yml @@ -90,6 +90,19 @@ docker_config: "{{ docker_config | combine({'data-root': docker_runtime_directory}) }}" when: docker_runtime_directory | length > 0 +- name: Warn about docker default iptables + debug: + msg: >- + Docker default iptables rules will be disabled by default from the Victoria 11.0.0 + release. If you have any non-Kolla containers that need this functionality, you should + plan a migration for this change, or set docker_disable_default_iptables_rules to false. + when: not docker_disable_default_iptables_rules | bool + +- name: Disable docker default iptables rules + set_fact: + docker_config: "{{ docker_config | combine({'iptables': false}) }}" + when: docker_disable_default_iptables_rules | bool + - name: Merge custom docker config set_fact: docker_config: "{{ docker_config | combine(docker_custom_config) }}" diff --git a/releasenotes/notes/docker-disable-iptables-e9a248a0515f30a6.yaml b/releasenotes/notes/docker-disable-iptables-e9a248a0515f30a6.yaml new file mode 100644 index 0000000000..9c2bb93526 --- /dev/null +++ b/releasenotes/notes/docker-disable-iptables-e9a248a0515f30a6.yaml @@ -0,0 +1,12 @@ +--- +features: + - | + Adds a new flag, ``docker_disable_default_iptables_rules``, which + defaults to ``no``. Docker is manipulating iptables rules by + default to provide network isolation, and this might cause + problems if the host already has an iptables based firewall. + A common problem is that Docker sets the default policy of the + ``FORWARD`` chain in the ``filter`` to ``DROP``. + Setting ``docker_disable_default_iptables_rules`` to ``yes`` + will disable Docker's iptables manipulation. This feature will be + enabled by default from the Victoria 11.0.0 release.