openstack/kolla-ansible
Code Issues Proposed changes

[docker] Added a new flag to disable default iptables rules

Browse Source 
Docker is manipulating iptables rules by default to provide network
isolation, and this might cause problems if the host already has an
iptables-based firewall.

This change introduces docker_disable_default_iptables_rules to
disable the iptables manipulation by putting "iptables: false" [1] to
daemon.json

For better defaults, this feature will be enabled by default in
Victoria.

[1] https://docs.docker.com/network/iptables/

Closes-Bug: #1849275

Change-Id: I165199fc98fb98f227f2a20284e1bab03ef65b5b
This commit is contained in:
Dincer Celik 2019-10-30 10:10:34 +03:00 committed by Mark Goddard
parent 2f91be9f39
commit fc7ce6cabe
3 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ansible/group_vars/all.yml
View File

@ -99,6 +99,9 @@ docker_runtime_directory: ""
# Docker client timeout in seconds. # Docker client timeout in seconds.
docker_client_timeout: 120 docker_client_timeout: 120
# Docker networking options
docker_disable_default_iptables_rules: "no"
# Retention settings for Docker logs # Retention settings for Docker logs
docker_log_max_file: "5" docker_log_max_file: "5"
docker_log_max_size: "50m" docker_log_max_size: "50m"

13
ansible/roles/baremetal/tasks/post-install.yml
View File

@ -90,6 +90,19 @@
docker_config: "{{ docker_config | combine({'data-root': docker_runtime_directory}) }}" docker_config: "{{ docker_config | combine({'data-root': docker_runtime_directory}) }}"
when: docker_runtime_directory | length > 0 when: docker_runtime_directory | length > 0
- name: Warn about docker default iptables
debug:
msg: >-
Docker default iptables rules will be disabled by default from the Victoria 11.0.0
release. If you have any non-Kolla containers that need this functionality, you should
plan a migration for this change, or set docker_disable_default_iptables_rules to false.
when: not docker_disable_default_iptables_rules | bool
- name: Disable docker default iptables rules
set_fact:
docker_config: "{{ docker_config | combine({'iptables': false}) }}"
when: docker_disable_default_iptables_rules | bool
- name: Merge custom docker config - name: Merge custom docker config
set_fact: set_fact:
docker_config: "{{ docker_config | combine(docker_custom_config) }}" docker_config: "{{ docker_config | combine(docker_custom_config) }}"

12
releasenotes/notes/docker-disable-iptables-e9a248a0515f30a6.yaml Normal file
View File

@ -0,0 +1,12 @@
---
features:
- |
Adds a new flag, ``docker_disable_default_iptables_rules``, which
defaults to ``no``. Docker is manipulating iptables rules by
default to provide network isolation, and this might cause
problems if the host already has an iptables based firewall.
A common problem is that Docker sets the default policy of the
``FORWARD`` chain in the ``filter`` to ``DROP``.
Setting ``docker_disable_default_iptables_rules`` to ``yes``
will disable Docker's iptables manipulation. This feature will be
enabled by default from the Victoria 11.0.0 release.