kolla-ansible

Docker is configured after startup on Debian/Ubuntu

Bug #1923203 reported by Mark Goddard
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla-ansible
Fix Released
Medium
Michal Nasiadka

Bug Description

On Debian/Ubuntu, in contrast to RHEL-based distros, it is typical for services to be started automatically following package installation. This means that when docker-ce package is installed, the Docker daemon starts with vanilla configuration. We may then update the configuration, and trigger a restart of the daemon.

This can cause issues with some actions that are not 'undone' when disabled. An example is iptables management. If iptables management is disabled (default in Wallaby), then the rules may be left in place. For example:

# Generated by iptables-save v1.8.4 on Fri Apr 9 14:09:44 2021
*raw
:PREROUTING ACCEPT [126610:13442043]
:OUTPUT ACCEPT [116077:14962578]
COMMIT
# Completed on Fri Apr 9 14:09:44 2021
# Generated by iptables-save v1.8.4 on Fri Apr 9 14:09:44 2021
*nat
:PREROUTING ACCEPT [9058:398640]
:INPUT ACCEPT [7:420]
:OUTPUT ACCEPT [780:53695]
:POSTROUTING ACCEPT [780:53695]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Fri Apr 9 14:09:44 2021
# Generated by iptables-save v1.8.4 on Fri Apr 9 14:09:44 2021
*filter
:INPUT ACCEPT [161876:1105450156]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [145751:17413184]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT

The typically problematic rule here being this one:

*filter
:FORWARD DROP [0:0]

Mark Goddard (mgoddard)
Changed in kolla-ansible:
importance: Undecided → Medium
OpenStack Infra (hudson-openstack)
Changed in kolla-ansible:
status: New → In Progress
Michal Nasiadka (mnasiadka)
Changed in kolla-ansible:
assignee: nobody → Michal Nasiadka (mnasiadka)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/787701
Committed: https://opendev.org/openstack/kolla-ansible/commit/bc96179195de171a693b83405a472dddda596bff
Submitter: "Zuul (22348)"
Branch: master

commit bc96179195de171a693b83405a472dddda596bff
Author: Michał Nasiadka <email address hidden>
Date: Fri Apr 23 12:41:43 2021 +0200

    baremetal: Don't start Docker after install on Debian/Ubuntu

    docker-ce on Debian/Ubuntu gets started just after installation, before
    baremetal role configures daemon.json - which results in iptables rules
    being implemented - but not removed on docker engine restart.

    Closes-Bug: #1923203

    Change-Id: Ib1faa092e0b8f0668d1752490a34d0c2165d58d2

Changed in kolla-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/791115

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/791456

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/791115
Committed: https://opendev.org/openstack/kolla-ansible/commit/3a661b7ad16778f22eb2b82890b1bcb97c546696
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 3a661b7ad16778f22eb2b82890b1bcb97c546696
Author: Michał Nasiadka <email address hidden>
Date: Fri Apr 23 12:41:43 2021 +0200

    baremetal: Don't start Docker after install on Debian/Ubuntu

    docker-ce on Debian/Ubuntu gets started just after installation, before
    baremetal role configures daemon.json - which results in iptables rules
    being implemented - but not removed on docker engine restart.

    Closes-Bug: #1923203

    Change-Id: Ib1faa092e0b8f0668d1752490a34d0c2165d58d2
    (cherry picked from commit bc96179195de171a693b83405a472dddda596bff)

tags: added: in-stable-wallaby
tags: added: in-stable-victoria
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/791456
Committed: https://opendev.org/openstack/kolla-ansible/commit/34fb2c890e567626341a0d94d45c2f09bb4fca7e
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit 34fb2c890e567626341a0d94d45c2f09bb4fca7e
Author: Michał Nasiadka <email address hidden>
Date: Fri Apr 23 12:41:43 2021 +0200

    baremetal: Don't start Docker after install on Debian/Ubuntu

    docker-ce on Debian/Ubuntu gets started just after installation, before
    baremetal role configures daemon.json - which results in iptables rules
    being implemented - but not removed on docker engine restart.

    Closes-Bug: #1923203

    Change-Id: Ib1faa092e0b8f0668d1752490a34d0c2165d58d2
    (cherry picked from commit bc96179195de171a693b83405a472dddda596bff)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/791581

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/791582

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/791581
Committed: https://opendev.org/openstack/kolla-ansible/commit/f20b54c7bc725aefd0b1977da5e3576b374d60b5
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit f20b54c7bc725aefd0b1977da5e3576b374d60b5
Author: Michał Nasiadka <email address hidden>
Date: Fri Apr 23 12:41:43 2021 +0200

    baremetal: Don't start Docker after install on Debian/Ubuntu

    docker-ce on Debian/Ubuntu gets started just after installation, before
    baremetal role configures daemon.json - which results in iptables rules
    being implemented - but not removed on docker engine restart.

    Closes-Bug: #1923203

    Change-Id: Ib1faa092e0b8f0668d1752490a34d0c2165d58d2
    (cherry picked from commit bc96179195de171a693b83405a472dddda596bff)

tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 12.0.0.0rc2

This issue was fixed in the openstack/kolla-ansible 12.0.0.0rc2 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/train)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/791582
Committed: https://opendev.org/openstack/kolla-ansible/commit/b882000e4a385a0ce8948efcdd119ef895b799a6
Submitter: "Zuul (22348)"
Branch: stable/train

commit b882000e4a385a0ce8948efcdd119ef895b799a6
Author: Michał Nasiadka <email address hidden>
Date: Fri Apr 23 12:41:43 2021 +0200

    baremetal: Don't start Docker after install on Debian/Ubuntu

    docker-ce on Debian/Ubuntu gets started just after installation, before
    baremetal role configures daemon.json - which results in iptables rules
    being implemented - but not removed on docker engine restart.

    Closes-Bug: #1923203

    Change-Id: Ib1faa092e0b8f0668d1752490a34d0c2165d58d2
    (cherry picked from commit bc96179195de171a693b83405a472dddda596bff)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 11.1.0

This issue was fixed in the openstack/kolla-ansible 11.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 10.3.0

This issue was fixed in the openstack/kolla-ansible 10.3.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 13.0.0.0rc1

This issue was fixed in the openstack/kolla-ansible 13.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible train-eol

This issue was fixed in the openstack/kolla-ansible train-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.