diff --git a/roles/ensure-docker/tasks/docker-setup.yaml b/roles/ensure-docker/tasks/docker-setup.yaml
index 52c39b2c2..70a884138 100644
--- a/roles/ensure-docker/tasks/docker-setup.yaml
+++ b/roles/ensure-docker/tasks/docker-setup.yaml
@@ -12,17 +12,37 @@
       - "{{ docker_group }}"
     append: yes
 
-- name: Update docker daemon configuration
+- name: Update docker daemon proxy configuration
   when: docker_userland_proxy is defined
-  block:
-    - name: Add proxy config
-      include_role:
-        name: update-json-file
-      vars:
-        update_json_file_name: /etc/docker/daemon.json
-        update_json_file_combine:
-          userland-proxy: "{{ docker_userland_proxy }}"
-        update_json_file_become: true
+  include_role:
+    name: update-json-file
+  vars:
+    update_json_file_name: /etc/docker/daemon.json
+    update_json_file_combine:
+      userland-proxy: "{{ docker_userland_proxy }}"
+    update_json_file_become: true
+
+# Docker defaults to a MTU of 1500, which causes problems when the
+# main interface has a MTU less than that.  Cloud environments often
+# have this, one good example is OpenDev's Linaro ARM64 cloud.
+# https://storyboard.openstack.org/#!/story/2008230
+- name: Lower default MTU
+  when: ansible_default_ipv4.mtu < 1500
+  include_role:
+    name: update-json-file
+  vars:
+    update_json_file_name: /etc/docker/daemon.json
+    update_json_file_combine:
+      mtu: 1400
+    update_json_file_become: true
+
+- name: Restart docker
+  when: >-
+      (docker_userland_proxy is defined) or
+      (ansible_default_ipv4.mtu < 1500)
+  service:
+    name: docker
+    state: restarted
 
 - name: Reset ssh connection to pick up docker group
   meta: reset_connection
diff --git a/test-playbooks/ensure-docker.yaml b/test-playbooks/ensure-docker.yaml
index 73f408a94..d43345716 100644
--- a/test-playbooks/ensure-docker.yaml
+++ b/test-playbooks/ensure-docker.yaml
@@ -13,18 +13,7 @@
       command: |
         docker run --rm --network=host curlimages/curl:latest --no-progress-meter https://httpbin.org/get
 
-    # Two task approach that ignores known partial failures on specific plaforms:
-    # https://storyboard.openstack.org/#!/story/2008215
-    - name: Validate docker default network containers have internet access
+    - name: Validate docker default bridge networking containers have internet access
       command: |
         docker run --rm curlimages/curl:latest --no-progress-meter https://httpbin.org/get
-      register: result
-      ignore_errors: true
 
-    - name: Fail if bug found on unknown platform
-      when:
-        - result.rc != 0
-        - ansible_distribution_release not in ['bionic', 'focal']
-        - ansible_architecture != 'aarch64'
-      fail:
-        msg: Bug 2008215 regression detected